Certified online banking trojan in the wild

Jean-Ian Boutin, who works for AV firm Eset, has discovered trojans that carry
a valid digital signature. This potentially allows online banking spyware to
pass superficial tests as harmless. Apparently, the certificate in question was
issued by the DigiCert Certificate Authority – to a company that ceased to
exist a long time ago.

A valid signature from a company called "NS Autos" confirmed the origin of a
range of programs that, on close analysis, turned out to be trojans, at least
some of them specialising in online banking fraud. While a company called NS
Autos did once exist, it was liquidated in 2011. Apparently, that didn't stop
the DigiCert Certificate Authority from issuing a valid certificate for signing
executable programs to the company on 19 November 2012. The certificate was
only revoked when Eset reported the discovery.

The existence of a digital signature doesn't generally say anything about its
level of security. Nevertheless, digital signatures are often a prerequisite
for certain potentially dangerous activities. What's more, many warnings are
formulated in a much less alarming way if the presumed issuer is known.
Finally, it is common practice in analysis at least to initially exclude
digitally signed programs, for example when performing the time-consuming task
of manually checking a potentially infected PC.

The time when we could assume that digitally signed programs are "somehow ok"
has, therefore, definitely come to an end. The question is whether there should
come a time when we stop trusting that Certificate Authorities will adequately
check the identity behind a certificate. After all, DigiCert only recently
issued a valid certificate to a bogus company in Brazil.


http://www.h-online.com/security/new...d-1808898.html

grrrrrrrrrrrrr!

We as serious developers pay quite a lot of money for those damned certificates
and these idiots make the entire system worthless with their shameless
ignorance and greed.

Wolfgang Orth