Certified online banking trojan in the wild

Jean-Ian Boutin, who works for AV firm Eset, has discovered trojans that carry
a valid digital signature. This potentially allows online banking spyware to
pass superficial tests as harmless. Apparently, the certificate in question was
issued by the DigiCert Certificate Authority – to a company that ceased to
exist a long time ago.

A valid signature from a company called "NS Autos" confirmed the origin of a
range of programs that, on close analysis, turned out to be trojans, at least
some of them specialising in online banking fraud. While a company called NS
Autos did once exist, it was liquidated in 2011. Apparently, that didn't stop
the DigiCert Certificate Authority from issuing a valid certificate for signing
executable programs to the company on 19 November 2012. The certificate was
only revoked when Eset reported the discovery.

The existence of a digital signature doesn't generally say anything about its
level of security. Nevertheless, digital signatures are often a prerequisite
for certain potentially dangerous activities. What's more, many warnings are
formulated in a much less alarming way if the presumed issuer is known.
Finally, it is common practice in analysis at least to initially exclude
digitally signed programs, for example when performing the time-consuming task
of manually checking a potentially infected PC.

The time when we could assume that digitally signed programs are "somehow ok"
has, therefore, definitely come to an end. The question is whether there should
come a time when we stop trusting that Certificate Authorities will adequately
check the identity behind a certificate. After all, DigiCert only recently
issued a valid certificate to a bogus company in Brazil.


http://www.h-online.com/security/news/item/Certified-online-banking-trojan-in-the-wild-1808898.html

grrrrrrrrrrrrr!

We as serious developers pay quite a lot of money for those damned certificates
and these idiots make the entire system worthless with their shameless
ignorance and greed.

Wolfgang Orth

Lots of discussion in this forum on false positives from AV programs.
ESET was singled out here for one of them, and last week removed an MSI
file from my system that caused a dialog to open prompting for that file
two times for every access to any of my drives. So for every time I
opened Win Explorer, any browser, a file dialog in a program (web or
otherwise), I get that dialog twice per *attempt*.

Fortunately, Dell has an excellent repair tool on their site that
handled it.

Bottom line: Use some common horse sense when *any* AV program offers to
do something in Program Files, signed or unsigned executables (EXE, DLL,
OCX, etc). Same for unsolicited emails, especially those with
attachments. None of my banks or credit card companies do this, nor ask
for passwords (any email asking for confidential information is *always*
a red flag).

If you still have doubts, ask the vendor (Friedrich is very responsive),
make a post in a Skype group or other newsgroup forum or contact your
banking institution directly and ask them if they sent it.

--

Russ Eggen
RADFusion International, LLC

> The time when we could assume that digitally signed programs are "somehow
> ok" has, therefore, definitely come to an end.

Some months ago one of our customers had a problem. A WebTrust revoked his
certificate. What had happened? Well, he had UAC turned off on his Windows
7 machine and a nasty virus/spyware infected his system (Windows folder
tree). That spyware sent private data and important company information to
a server in Russia. One of the files sent was his .pfx code-signing
certificate. Hackers used this certificate to code-sign other malware.
Well, his lawyers are busy dealing with this mess right now.

And by the way, he needs a code-signing certificate to sell his government
software solutions to pay the lawyer's fees. So he asked me whether I can
help. But he is on a "blacklist" now and he'll not get a new certificate
anytime soon.

Friedrich