Crooks, think your Trojan looks legit? This one has a DIGITAL CERTIFICATE Security researchers have discovered a banking Trojan that comes with its own built-in digital certificate. The Brazilian banking password-sniffer was signed with a valid digital certificate issued by DigiCert, MalwareBytes reports. DigiCert responded promptly to inquiries by El Reg to confirm it had a had pulled the offending …
It's not signed by Buster Paper Commercial ltd, its signed by DigiCert. However as that's a CA I've never heard of and know doesn't have root certs on any of the serious systems I'm responsible for I can't say it would worry me much. Now if Thawte or Verisign had issued it I'd be a bit more concerned!
Certificate keys can only be as good as the underlying crypto :-(
The strength of the underlying crypto is a sort of theoretical nirvana impossible to attain in practice. It's a bit like saying politicians are only as benevolent as the underlying constitution. The whole CA system has been a sham from conception... there's absolutely no need for or security in placing arbitrarily "trusted" men in the middle... except, perhaps, as a last resort which would seldom actually occur in practice... and even then the whole cascade of failure™ design is STILL COMPLETELY UNNECESSARY... unless you're a spook of course... then it's probably quite handy.
"What we have here is a total abuse of hosting services, digital certificates and repeated offences from the same people," writes Jerome Segura, a security researcher at Malwarebytes. "Clearly, if digital certificates can be abused so easily, we have a big problem on our hands."
The biggest abusers are the marketards trying to convince computer illiterate sheeple that these complex boxen can be made so simple to use that they are a no-brainer, and that nobody has to look after their own personal security. Ever.
"Hosting services" are abuse of the public.
"Cloud" is abuse of the public.
The perceived "need" of digital certificates is abuse of the public.
Marketards & manglement need to stop trying to do engineering. Between them, they are cocking things up completely. It's kinda like watching a liberal arts major trying to use a lathe ... spectacularly dangerous for onlookers, but funny in a morbid kind of way.
And that's "offenses". With an "s".
Beer. Not drinking (yet), firing up the bottling line for the first time ... Wish me luck :-)
And that's "offenses". With an "s".
Stop. Take a look at your browser address bar, the bit near the top where you can see the address "http://forums.theregister.co.uk/forum/1/2013/02/05/digitally_signed_banking_trojan/".
See that ".co.uk" bit? That means that the site you are reading is based in the United Kingdom, an independent sovereign nation that (arse-reaming extradition treaties notwithstanding) exists outside of the United States of America, and whose citizens speak a language known as English, which is different to American.
In the United Kingdom, and in every other country that speaks English, the word "offence" and its variants are spelt with a "c", not an "s".
On all new kit sold to the general public.
"Use of this device could open you up to identity theft and fraud. Should this device be used without your knowledge to commit a crime, unless you can prove innocence, you may face criminal charges. This device may come with security software installed. Please be aware, this software does not make your device secure."
I wouldn't imagine such a warning label having much of an impact on sales, nor would I imagine it reducing by much the number of people that blindly trust code downloaded from the Internet. It would however be a more accurate description of how the device can behave compared to all the glossy advertising that extols nothing but the virtues of such devices..
Code signing is rather secure when the code is generated for your own or a very close partner vendors bespoke application. Better still if it's created by their own verified secure CA that can't be obtained by anyone other than your vendor.
Otherwise, code signing is a piece of shit.
@ac
How secure is secure though...
I work in a large bank, and we have our own "secure" CA that is used to generate all of our certificates. I thought it was a pretty bulletproof system until I got involved in an issue caused by a certificate expiry. It turned out that a couple of years previously, some complete retard, with no concept of security, had generated a certificate from it and given it to a third party company as they didn't understand SSL and this would get it working. Possibly even worse, no-one knew they had it, hence the expiry causing an issue.
Several 'JFDI' higher ups on the incident calls quickly shut up with their "just generate a new one asap plan" when I flagged up that for the entire period, several years, this other company could have gone to anyone and pretended to be us.
"Malware endorsed by a digital certificate is not unprecedented - Stuxnet and Flame were both signed using digital certificates - but the appearance of the same tactic much further down the food chain in more everyday nasties is still very bad news."
Also old news. Signing ordinary run-of-the-mill malware with security certs isn't new. As far back as 2008, there was rogue antivirus scareware being distributed from a network of hacked sites that included a valid code-signing cert issued under the name "Mistland Limited".
It's not hard to get a security certificate. A business license (either belonging to you or stolen from someone else--a quick Google search shows there is a business called "Mistland Limited," apparently a real estate firm in London, whose name was probably used to get the cert without their knowledge) and about five minutes on the phone should do it.
People really should get over their fascination (or is it ignorance?) when it comes to certificates. A "real" certificate means absolutely nothing more than that it'll be easier to recognize by other parties. Yet that won't make it any safer or more insecure.
In fact; I can come up with scenario's where you might actually benefit a whole lot more from picking up & setting up OpenSSL yourself and then simply using your own SSL hierarchy. And yes; OpenSSL can easily run on Windows as well (and does a fine job too!).
Sure; it may take you some RTFM before you setup a whole CA structure, but I speak from personal experience when I say that OpenSSL can cope. It supports Root (CA), EmailCerts, AuthCerts, CodeSigning and ServerCerts with ease. An sometimes such a setup may even be much more beneficial too. You can be pretty sure that 'bad guys' won't really care much about your little 'CA enterprise', thus minimizing risks.
But most of all you'll get the exact same results, but IMO better: On a very select amount of PC's (which is entirely to your discretion) you can deploy (test?) code where it'll run without warnings or such. And if you're working with computer illiterates it could even help prevent them grabbing your code to try it out somewhere else; because that's bound to generate errors, errors which may very well intimidate those people.
And if you plan this right you'll even know that you can simply setup a structure which will only be valid during the course of the project. The moment $date passes all certs can simply be rendered useless; and all without having to do anything special but some proper planning.
"A "real" certificate means absolutely nothing more than that it'll be easier to recognize by other parties. Yet that won't make it any safer or more insecure."
That depends on the expectations of the other parties. If I (as an "other party") receive a package from or make a connection to "Contoso, Inc" then it certainly does provide some assurance if the certificate is signed by a third party that I recognise if I already had reasons to trust the real "Contoso, Inc".
Of course, if I found "Contoso, Inc" by Google search and have never actually heard of them, no amount of proof that they really are "Contoso, Inc" will re-assure me that they can be trusted. Equally, if they are only countersigned by one of the largely unknown hundred or so CAs that have paid Microsoft to be on the root certs program, that means bog all, too.
You forgot to mention Windows ...
'Banking Trojan, Brazilian banking password-sniffer, digital certificate, digital seal, global hotspot, infected file, item of malware, key-logger, PDF document, Spyware.Banker.FakeSig, untrusted applications, victim's inbox`
So, both companies that were mentioned had names beginning with Buster. Which isn't a world in Portuguese. So, the same guys creating the companies. It is very easy to start a "company" in Brazil, any person can do that. Just because it's registered with the government, it does not mean it is legit.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
