Bogus antivirus program uses a dozen stolen signing certificates

Hackers are regularly stealing code-signing certificates from developers, according to Microsoft

A fake antivirus program is using at least a dozen stolen code-signing certificates, indicating hackers are regularly breaching the  networks of developers.

A fake antivirus program is using at least a dozen stolen code-signing certificates, indicating hackers are regularly breaching the networks of developers.

A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.

The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."

Digital certificates, issued by Certification Authorities (CAs), are used by developers to "sign" software programs, which can be cryptographically checked to verify that a program hasn't been tampered with and originates from the developer who claims to write it.

If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued "by a number of different CAs to software developers in various locations around the world," the company wrote.

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating "that the malware's distributors are regularly stealing new certificates, rather than using certificates from an older stockpile."

Microsoft noticed another fake antivirus program, which is called "Win32/FakePav," is also rotating stolen certificates.

Win32/FakePav has gone by more than 30 other names since its detection around 2010. It didn't use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.

To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.

"Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company's reputation if it is used to sign malware," the company wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecuritydata breachencryptionExploits / vulnerabilitiesmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?