It’s rare to find malware that’s been signed with a valid digital certificate. What’s even rarer is what researchers at software security company F-Secure found: Malware that’s been signed with an official key that once belonged to the Malaysian government.
The malware in question takes advantage of an exploit in Adobe Reader 8 and spreads via malicious PDF files. Once exploited, the malware then downloads additional malicious components, some of which are also signed by a commercial website, from a server called worldnewsmagaizines.org.
The stolen certificate, issued for the domain of mardi.gov.my, once belonged to the Malaysian Agricultural Research and Development Institute. Mikko Hypponen, chief research officer at Finland-based F-Secure Corp., wrote in a blog post that his researchers contacted Malaysian authorities and were told this particular certificate had been stolen “quite some time ago.”
“This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the Web; signed applications won’t do this,” Hypponen wrote. He also noted that some security systems might trust the malware more than unsigned code because of the supposed authenticity of a signed certificate.
However, according to the blog post, the mardi.gov.my certificate expired at the end of September, meaning those Windows application warnings will appear.
The stolen certificate was issued by a small subordinate certificate authority (CA) in Malaysia called Digicert Sdn. Bhd, not to be confused with the U.S.-based Root CA Digicert Inc. Digicert Sdn. Bhd is a subordinate CA of Cybertrust/Verizon and Entrust, both of which have revoked the certificates they issued to the CA. Major browser makers such as Google, Opera, Microsoft and Mozilla have also blacklisted the Malaysian CA.
According to a blog post by Yngve Nysaeter Pettersen, a developer at software company Opera Software, the reason for the blacklists stems from a discovery that Digicert Sdn. Bhd was “issuing certificates that did not meet several technical and contractual requirements, resulting in potential attacks on people visiting Malaysian government websites.”
Some of the certificate problems included a lack of “Extended Key Usage”, which is used to limit what a certificate can be used for, a lack of pointers to revocation information so the validity of the certificates couldn’t be checked, and an exploit used in a phishing attack.
Pettersen added: “We have also learned that a few other CAs have also issued about 25 certificates with 512-bit keys. At present we do not have details about these certificates, but we have been informed that the certificates should be revoked within a week.”