Hackers Distribute Malware Using Digital Certificate Stolen from Opera Software

Each and everyday hackers become wiser in their efforts to spread malicious software and attack the vulnerable. In the most recent events of hackers taking to their new-found clever techniques of spreading malware, they have penetrated network servers belonging to Opera Software to steal a digital certificate. The purpose for obtaining this digital certificate is to distribute malware that incorrectly appears to be published by Opera Software, the makers of the Opera web browser software.

In the past hackers have made successful attempts at masking malware by signing the software with legitimate certificates. The purpose of doing such a thing is to make it look like the malware is a legitimate entity to antispyware or antivirus software applications. Basically, malicious software signed with a legitimate certificate from a trusted source is normally not detected and removed by security software.

The use of a stolen Opera certificate to sign malware would essentially make the malicious software appear to have come directly from Opera. This means security software would not identify an Opera-signed malware threat as being malicious, therefore the threat would slip past detection and carry out any malicious functions that it was initially created to perform on an infected machine.

Opera placed an advisory on their site after the digital certificate was stolen due to hackers penetrating their network servers. The advisory also provided a link to a Virus Total analysis, which includes many known threats and a variation of the clever TrojanPWS.Fareit Trojan, possibly used to steal the login password. The advisory reads:

"The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware," Wednesday's advisory stated. "This has allowed them to distribute malicious software, which incorrectly appears to have been published by Opera Software or appears to be the Opera browser. It is possible that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may automatically have received and installed the malicious software."

To our surprise, Opera seemed to leave out some pertinent information allowing us to figure out how much damage was actually done. Information about when the stolen certificate expires and if there is reason to believe that other certificates were stolen. This information would assist security firms in how they detect future infections that may be signed with legitimate certificates.

For now, Opera reps are not providing any additional details about the network penetration that led to theft of a digital certificate. We can only hope that additional light is shed on the situation, so the threat of malware signed with legitimate certificates do not slip through the cracks and cause massive issues for infected systems with such malicious software installed.