Feeds

back to article Crooks, think your Trojan looks legit? This one has a DIGITAL CERTIFICATE

Security researchers have discovered a banking Trojan that comes with its own built-in digital certificate. The Brazilian banking password-sniffer was signed with a valid digital certificate issued by DigiCert, MalwareBytes reports. DigiCert responded promptly to inquiries by El Reg to confirm it had a had pulled the offending …

COMMENTS

This topic is closed for new posts.
Silver badge

Hands up everyone who'd install some random bit of software if it were signed by 'Buster Paper Comercial Ltda'? Now if it were signed by Oracle or Microsoft, at least I'd know it's free from malware.

6
7

It's not signed by Buster Paper Commercial ltd, its signed by DigiCert. However as that's a CA I've never heard of and know doesn't have root certs on any of the serious systems I'm responsible for I can't say it would worry me much. Now if Thawte or Verisign had issued it I'd be a bit more concerned!

0
3
Silver badge
Stop

@Sooty

No, BPC's certificate was signed by DigiCert so that it became valid (recognizable) by the rest of the world.

But whatever you sign with a CodeSign certificate will bear your name (CN), not that of the CA.

0
0
FAIL

http://msdn.microsoft.com/en-gb/library/windows/desktop/aa387700(v=vs.85).aspx

Seems to be more falses than truths :-/

Certificate keys are only as good as the underlying crypto :-(

2
0
FAIL

Certificate keys can only be as good as the underlying crypto :-(

The strength of the underlying crypto is a sort of theoretical nirvana impossible to attain in practice. It's a bit like saying politicians are only as benevolent as the underlying constitution. The whole CA system has been a sham from conception... there's absolutely no need for or security in placing arbitrarily "trusted" men in the middle... except, perhaps, as a last resort which would seldom actually occur in practice... and even then the whole cascade of failure™ design is STILL COMPLETELY UNNECESSARY... unless you're a spook of course... then it's probably quite handy.

0
1
Silver badge
Pint

Duh.

"What we have here is a total abuse of hosting services, digital certificates and repeated offences from the same people," writes Jerome Segura, a security researcher at Malwarebytes. "Clearly, if digital certificates can be abused so easily, we have a big problem on our hands."

The biggest abusers are the marketards trying to convince computer illiterate sheeple that these complex boxen can be made so simple to use that they are a no-brainer, and that nobody has to look after their own personal security. Ever.

"Hosting services" are abuse of the public.

"Cloud" is abuse of the public.

The perceived "need" of digital certificates is abuse of the public.

Marketards & manglement need to stop trying to do engineering. Between them, they are cocking things up completely. It's kinda like watching a liberal arts major trying to use a lathe ... spectacularly dangerous for onlookers, but funny in a morbid kind of way.

And that's "offenses". With an "s".

Beer. Not drinking (yet), firing up the bottling line for the first time ... Wish me luck :-)

3
8
Bronze badge

Re: Duh.

I propose that only people with PhD's are allowed to use computers. And only while wearing lab coats.

<-- The blank icon, because I might be being serious or I might be being sarcastic.

5
1
Anonymous Coward

Re: Duh.

"I propose that only people with PhD's are allowed to use computers."

I'd rather we allow people who know what they're doing to use them instead.

9
1
Anonymous Coward

Re: Duh.

That would be nobody then.

2
0
Anonymous Coward

Re: Duh.

Great idea.

I'm a bit worried.

Who does the allowing? Or not allowing?

0
0
Bronze badge

Re: Duh.

Upvote for the blank icon.

2
0
Silver badge
Headmaster

Re: Duh.

And that's "offenses". With an "s".

Stop. Take a look at your browser address bar, the bit near the top where you can see the address "http://forums.theregister.co.uk/forum/1/2013/02/05/digitally_signed_banking_trojan/".

See that ".co.uk" bit? That means that the site you are reading is based in the United Kingdom, an independent sovereign nation that (arse-reaming extradition treaties notwithstanding) exists outside of the United States of America, and whose citizens speak a language known as English, which is different to American.

In the United Kingdom, and in every other country that speaks English, the word "offence" and its variants are spelt with a "c", not an "s".

12
2
Bronze badge

Re: Duh.

I propose that only people with PhD's are allowed to use computers. And only while wearing lab coats.

I have a lab coat I bought for college classes a little while back.

And I have a PhD certifictate signed by DigiCert.

So there, I'm certified. Ahem.

4
0
Silver badge

@Steven Roper (was: Re: Duh.)

A one-line throwaway "across the pond" giggle that has absolutely nothing to do with the actual article in question draws an emotional response. Rare, that. Spit the hook, little fishy.

2
3
Bronze badge
Joke

Re: @Steven Roper (was: Duh.)

Never mind, Jake. Steven was probably in a mood because he missed afternoon tea with the queen that day.

1
0
Silver badge

CA who?

Do you know anyone who works for CA? Have you ever audited them? interviewed their head of security? Then why would you trust their certificates? They're just some random people on the Internet, at the end of the day.

5
0
Bronze badge

Re: CA who?

But the same is true of my government, too.

2
0
Silver badge
Stop

Re: CA who?

But the same is true of my government, too.

Exactly. I don't trust those buggers either.

2
0
Silver badge
Big Brother

Re: CA who?

Exactly.

1
0
Silver badge

Trust is so passé

Best bet is to cross your fingers.

0
0
Boffin

Re: Trust is so passé

Trust is crossing your fingers.

1
1
Silver badge

Re: But the same is true of my government, too.

Not a chance. I'd trust five random people at an unknown company sooner than I'd trust ANY government.

0
0
Silver badge

Has anybody thaught

about what happens to all those assets of bankrupt businesses when they include digital certificates.

I'd buy that for a dollar.

5
0
Bronze badge

A warning label

On all new kit sold to the general public.

"Use of this device could open you up to identity theft and fraud. Should this device be used without your knowledge to commit a crime, unless you can prove innocence, you may face criminal charges. This device may come with security software installed. Please be aware, this software does not make your device secure."

I wouldn't imagine such a warning label having much of an impact on sales, nor would I imagine it reducing by much the number of people that blindly trust code downloaded from the Internet. It would however be a more accurate description of how the device can behave compared to all the glossy advertising that extols nothing but the virtues of such devices..

3
0
Anonymous Coward

Use of this device could open you up to identity theft and fraud...

Warning labels are useless.

Most people would think "whatever, I just want to twitter my facebook instagram". These people seldom read anything longer than 140 characters.

2
3
Silver badge

Code signing is not a security feature!

And again code signing, at least by itself, is a security feature. I may be in some very restricted scenarios and when you can easily add your own keys, but usually it's not. Get over it.

0
1
Bronze badge

Re: Code signing is not a security feature!

Make up your mind. The title of your post says one thing and the body says the opposite.

I have to presume that you might be right.

1
0
Anonymous Coward

Re: Code signing is not a security feature!

Code signing is rather secure when the code is generated for your own or a very close partner vendors bespoke application. Better still if it's created by their own verified secure CA that can't be obtained by anyone other than your vendor.

Otherwise, code signing is a piece of shit.

1
0
Anonymous Coward

Re: Code signing is not a security feature!

@ac

How secure is secure though...

I work in a large bank, and we have our own "secure" CA that is used to generate all of our certificates. I thought it was a pretty bulletproof system until I got involved in an issue caused by a certificate expiry. It turned out that a couple of years previously, some complete retard, with no concept of security, had generated a certificate from it and given it to a third party company as they didn't understand SSL and this would get it working. Possibly even worse, no-one knew they had it, hence the expiry causing an issue.

Several 'JFDI' higher ups on the incident calls quickly shut up with their "just generate a new one asap plan" when I flagged up that for the entire period, several years, this other company could have gone to anyone and pretended to be us.

3
0
Thumb Down

"Malware endorsed by a digital certificate is not unprecedented - Stuxnet and Flame were both signed using digital certificates - but the appearance of the same tactic much further down the food chain in more everyday nasties is still very bad news."

Also old news. Signing ordinary run-of-the-mill malware with security certs isn't new. As far back as 2008, there was rogue antivirus scareware being distributed from a network of hacked sites that included a valid code-signing cert issued under the name "Mistland Limited".

It's not hard to get a security certificate. A business license (either belonging to you or stolen from someone else--a quick Google search shows there is a business called "Mistland Limited," apparently a real estate firm in London, whose name was probably used to get the cert without their knowledge) and about five minutes on the phone should do it.

0
0
Coat

@John G Imrie

You mean "Has anybody thawte?", shurely?

The one with the dog-eared Jokebook, thanks....

1
0
Anonymous Coward

What's in a name?

"...The Trojan, detected as Spyware.Banker.FakeSig by MalwareBytes..."

Aha! —I think I can see where the crooks went wrong. They should have given it a less suspicious name.

0
0
Silver badge
Stop

Its just a cert; wise up!

People really should get over their fascination (or is it ignorance?) when it comes to certificates. A "real" certificate means absolutely nothing more than that it'll be easier to recognize by other parties. Yet that won't make it any safer or more insecure.

In fact; I can come up with scenario's where you might actually benefit a whole lot more from picking up & setting up OpenSSL yourself and then simply using your own SSL hierarchy. And yes; OpenSSL can easily run on Windows as well (and does a fine job too!).

Sure; it may take you some RTFM before you setup a whole CA structure, but I speak from personal experience when I say that OpenSSL can cope. It supports Root (CA), EmailCerts, AuthCerts, CodeSigning and ServerCerts with ease. An sometimes such a setup may even be much more beneficial too. You can be pretty sure that 'bad guys' won't really care much about your little 'CA enterprise', thus minimizing risks.

But most of all you'll get the exact same results, but IMO better: On a very select amount of PC's (which is entirely to your discretion) you can deploy (test?) code where it'll run without warnings or such. And if you're working with computer illiterates it could even help prevent them grabbing your code to try it out somewhere else; because that's bound to generate errors, errors which may very well intimidate those people.

And if you plan this right you'll even know that you can simply setup a structure which will only be valid during the course of the project. The moment $date passes all certs can simply be rendered useless; and all without having to do anything special but some proper planning.

0
1
Gold badge

Re: Its just a cert; wise up!

"A "real" certificate means absolutely nothing more than that it'll be easier to recognize by other parties. Yet that won't make it any safer or more insecure."

That depends on the expectations of the other parties. If I (as an "other party") receive a package from or make a connection to "Contoso, Inc" then it certainly does provide some assurance if the certificate is signed by a third party that I recognise if I already had reasons to trust the real "Contoso, Inc".

Of course, if I found "Contoso, Inc" by Google search and have never actually heard of them, no amount of proof that they really are "Contoso, Inc" will re-assure me that they can be trusted. Equally, if they are only countersigned by one of the largely unknown hundred or so CAs that have paid Microsoft to be on the root certs program, that means bog all, too.

0
0
Anonymous Coward

Built-in digital certificate banking trojan?

You forgot to mention Windows ...

'Banking Trojan, Brazilian banking password-sniffer, digital certificate, digital seal, global hotspot, infected file, item of malware, key-logger, PDF document, Spyware.Banker.FakeSig, untrusted applications, victim's inbox`

0
0
J 3
Devil

Buster

So, both companies that were mentioned had names beginning with Buster. Which isn't a world in Portuguese. So, the same guys creating the companies. It is very easy to start a "company" in Brazil, any person can do that. Just because it's registered with the government, it does not mean it is legit.

0
0
Bronze badge

Re: Buster

Ronnie Biggs hung out in Brazil for a long while and Buster Edwards was a fellow Great Train Robbery gang member, so Brazilians may have heard of Buster. Oh bugger, I've got Phil Collins singing in my head now. Does anyone know the way - there's got to be a way - to block Buster?

0
0
This topic is closed for new posts.