Bogus antivirus program uses a dozen stolen signing certificates

Hackers are regularly stealing code-signing certificates from developers, according to Microsoft

A fake antivirus program is using at least a dozen stolen code-signing certificates, indicating hackers are regularly breaching the  networks of developers.

A fake antivirus program is using at least a dozen stolen code-signing certificates, indicating hackers are regularly breaching the networks of developers.

A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.

The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."

Digital certificates, issued by Certification Authorities (CAs), are used by developers to "sign" software programs, which can be cryptographically checked to verify that a program hasn't been tampered with and originates from the developer who claims to write it.

If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued "by a number of different CAs to software developers in various locations around the world," the company wrote.

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating "that the malware's distributors are regularly stealing new certificates, rather than using certificates from an older stockpile."

Microsoft noticed another fake antivirus program, which is called "Win32/FakePav," is also rotating stolen certificates.

Win32/FakePav has gone by more than 30 other names since its detection around 2010. It didn't use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.

To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.

"Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company's reputation if it is used to sign malware," the company wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityMicrosoftdata breachencryptionExploits / vulnerabilitiesmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?