×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Malware Signed With Stolen Government Certificate

samzenpus posted more than 2 years ago | from the malaysian-malady dept.

Security 34

Trailrunner7 writes "Security researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code. The malware, identified by F-Secure as a Trojan horse program dubbed Agent.DTIW, was detected in a signed Adobe PDF file by the company's virus researchers recently. The malicious PDF was signed using a valid digital certificate for mardi.gov.my, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen 'quite some time ago.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

34 comments

quite some time ago? (4, Insightful)

Moheeheeko (1682914) | more than 2 years ago | (#38065898)

We talking days? weeks? months? years? And why wasnt it immediately flagged as stolen?

Re:quite some time ago? (0)

crunchy666 (1315081) | more than 2 years ago | (#38066264)

Does it matter how long ago? A world government doesn't even think this is worth reporting to anyone.... Is SSL even secure anymore?

Re:quite some time ago? (1)

Anonymous Coward | more than 2 years ago | (#38070908)

> Is SSL even secure anymore?

It hasn't been since the beginning. But few bothered to notice since any opposition to the epic fail of the CA-model got side-swept in the 90's gold-rush towards "e-commerce" anyway. People (mostly pointy-haired) wanted a quick solution, and that's what they, and unfortunately we all, got.

Re:quite some time ago? (3, Funny)

DriedClexler (814907) | more than 2 years ago | (#38067098)

And why is it both stolen AND a legitimate cert?

Also, who the hell actually installs software just because the Malaysian government signs it?

"Hm, I'm not sure I want to run this code ... seems like it could put my system at risk. Oh, wait, the Malaysian government signed it! What a fool I was to spend even a moment in worry!"

Re:quite some time ago? (5, Informative)

idontgno (624372) | more than 2 years ago | (#38067252)

Also, who the hell actually installs software just because the Malaysian government signs it?

It's not "who", it's "what". As in "What operating system trusts signed <foo> more than unsigned equivalent?" As in "All of them."

A signed cert opens doors that most users aren't even aware of. Add to that (in this case) an existing remote arbitrary code execution exploit in unpatched vulnerable versions of Acrobat Reader 8, and you've got a lovely recipe for malware drive-by installation.

Re:quite some time ago? (1)

DriedClexler (814907) | more than 2 years ago | (#38067388)

Oh, crap! Didn't know that!

*opens up trusted cert list*

Re:quite some time ago? (4, Insightful)

TClevenger (252206) | more than 2 years ago | (#38069640)

I'd love to see a "NoScript" equivalent for CAs. Let ME decide if I should approve a certificate signed by the Hong Kong Post Office. (Yes, they're in there.)

Re:quite some time ago? (0)

Anonymous Coward | more than 2 years ago | (#38070832)

That's unnecessary. You can easily remove any of the trusted CAs from your browser. In Firefox, it's under Preferences/Advanced/View Certificates.
I find you worrying about the Hong Kong Post Office CA amusing. All a CA does is check the guy is who he says he is, nothing more. With enough money they could buy HK's CA just like they could buy AOL's.

Re:quite some time ago? (1)

KiloByte (825081) | more than 2 years ago | (#38071828)

Except that there are multiple paths a certificate can be signed. For example, to remove CNNIC, you have to distrust Entrust as well.

Re:quite some time ago? (0)

Anonymous Coward | more than 2 years ago | (#38071274)

Have a look at "Certificate Patrol"

Re:quite some time ago? (1)

fast turtle (1118037) | more than 2 years ago | (#38069158)

and this is exactly why I don't trust any cert until I know exactly who issued it. In my case, that's a grand total of 8 certs I actually need to trust on a regular basis, not the damn mess that FF/IE/Opera and Chrome all insist are trustworthy

DTIW? (-1)

Anonymous Coward | more than 2 years ago | (#38065970)

Done The Internet Woman? Gross.

Why isn't this certificate revoked? (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38066086)

The article makes no mention of the signing certificate being revoked. Why hasn't the signing certificate been revoked?

Re:Why isn't this certificate revoked? (1)

Anonymous Coward | more than 2 years ago | (#38067600)

Why hasn't the signing certificate been revoked?

Is there a working revocation scheme for such certificates? An attack against the the revocation protocol for SSL certificates was demonstrated quite some time ago. It just took one single byte to defeat the entire protocol. And last I checked the running of a signed java applet, the browser didn't even attempt to check for revocation. Are signatures on PDF files any easier to revoke? (And since when was PDF files an executable format?)

Re:Why isn't this certificate revoked? (3, Interesting)

idontgno (624372) | more than 2 years ago | (#38067932)

I imagine it wasn't reported for revocation because (A) some bureaucrat would have to publicly 'fess up to a nasty boo-boo, and (B) that might inconvenience legitimate users of that certificate chain and (C) make lots of extra work for the fellow bureaucrats to replace the poisonous certificate and publicize its replacement in the using public.

So, yeah. Allowing the certificate to glimmering is obviously the better solution. There's no downside as long as no one uses the stolen certificate for evil purposes. And if they do, there's probably enough plausible deniability to buy time to do the revocation only when it's absolutely necessary, like buying fire insurance while the roof is burning.

Re:Why isn't this certificate revoked? (1)

Anonymous Coward | more than 2 years ago | (#38071354)

What's the point when most clients (including browsers) don't look at revocation lists due to the latency it adds. OCSP stapling offers some hope, but is rarely used.

Is there: +4, Informative (0, Funny)

Anonymous Coward | more than 2 years ago | (#38066114)

a download site for Stuxnet.

I'd like to make it a GNU Project .

Yours In Novosibirsk,
K. Trout, C.T.O.

Re:Is there: +4, Informative (1)

Anomalyst (742352) | more than 2 years ago | (#38067360)

Dear Mr. Trout,
"Life is no way to treat an animal." would make an excellent epitaph.

"gaps in the security of digital certificates" (2)

Monkier (607445) | more than 2 years ago | (#38067464)

So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.

Re:"gaps in the security of digital certificates" (2)

putaro (235078) | more than 2 years ago | (#38069170)

No, the gap is that there are too many trusted parties and when some idiot on the other side has a security breach it is affecting people everywhere.

It is not theft (4, Funny)

houghi (78078) | more than 2 years ago | (#38067590)

It is copyright infringement.

Re:It is not theft (1)

uufnord (999299) | more than 2 years ago | (#38069244)

Should I have modded you as funny? X.509 certificates don't contain copyright notices anywhere within them. I believe they would be treated as non-copyrightable, since they are statements of fact, and not creative works. So, no it's not theft, and it's not copyright infringement. It's merely "copied"..

malware spreading via malicious PDF files is signed with a valid certificate which was copied from the Government of Malaysia...

Revocation List? (4, Informative)

Logarhythmic (1082321) | more than 2 years ago | (#38067706)

Isn't this precisely what certificate revocation lists are for?

Re:Revocation List? (1)

Anonymous Coward | more than 2 years ago | (#38070138)

Unfortunately, the stolen certificate in question had an invalid CRL, which means this certificate could not be revoked at all. This is also one of the mentioned 22 certificates with weak 512-bit key.

In related news, the CA in question was revoked by major browser vendors exactly due to this bad practice.
http://tech.slashdot.org/story/11/11/04/1539253/microsoft-mozilla-and-google-ban-malaysian-intermediate-ca [slashdot.org]

I'm sure it'll be fine. We all need to ... (0)

Anonymous Coward | more than 2 years ago | (#38067846)

Relax, don't do it. When you want to go to it.

I don't read good.

Malaysia sucks (-1)

Anonymous Coward | more than 2 years ago | (#38069136)

Malaysia Boleh!

Re:Malaysia sucks (1)

udippel (562132) | more than 2 years ago | (#38071492)

Dear AC, don't worry.The mod who modded you down can hardly be blamed. He doesn't know about Dr. M, and he probably doesn't speak Bahasa Malaysia neither. So something was whooshing over her head.

stolen digital certificate (1)

microphage (2429016) | more than 2 years ago | (#38069666)

How exactly do you go about stealing a digital certificate? Can you revoke the cert after the event? What happens to legitimate sites using the stolen cert?

Sweet!!! (0)

Anonymous Coward | more than 2 years ago | (#38069850)

Now I'll make some more $$ off of the dumb-asses who get their shit ass WinBlowz computers owned by going to infected pron links. Score!!!!

Makes virus detection tricky (1)

jamesh (87723) | more than 2 years ago | (#38071964)

When faced with a virus that none of the existing tools detect, I open up Process Explorer, tell it to verify signatures, and then check for any currently loaded objects with a signature that can't be verified (or no signature). It's just one part of the investigation but it's certainly a good start.

This increase in stolen certs is troubling.

Re:Makes virus detection tricky (0)

Anonymous Coward | more than 2 years ago | (#38073336)

This is why I use a HIPS that blocks everything by default unless manually whitelisted, even OS components. But sure this isn't for everyone.

Asking the wrong question (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#38072310)

The right question: why the fuck does the Agricultural Research and Development Institute of the Government of Malaysia even need a CA??

Re:Asking the wrong question (1)

heypete (60671) | more than 2 years ago | (#38072876)

They don't.

A Malaysian CA was issuing bad certificates from their intermediate CA that was chained to Entrust. They were allowing weak, 512-bit RSA keys to be signed, as well as not including any certificate extensions (and thus the certificates were treated as valid for all purposes by many OSs and browsers, as opposed to being limited to only what the extensions stated). Entrust revoked the intermediate CA [entrust.net]. Evidently the Malaysia CA also had broken CRL locations burned into the certs (or didn't include any CRL information, I don't quite recall), and

Since the certificate had no extensions, it was usable as a code-signing certificate and used to sign malware. The same thing would could have happened if the bad guys managed to steal a regular code-signing cert and the revocation was broken.

The certificate expired 29th September (0)

Anonymous Coward | more than 2 years ago | (#38078570)

http://www.f-secure.com/weblog/archives/mardi-cert_malaysian.PNG

How is this a 'Valid certificate' again ?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...