New Malware Signed With Stolen Government Certificate

Trailrunner7 writes "Security researchers claim that malware spreading via malicious PDF files is signed with a valid certificate stolen from the Government of Malaysia, in just the latest evidence that scammers are using gaps in the security of digital certificates to help spread malicious code. The malware, identified by F-Secure as a Trojan horse program dubbed Agent.DTIW, was detected in a signed Adobe PDF file by the company's virus researchers recently. The malicious PDF was signed using a valid digital certificate for mardi.gov.my, the Agricultural Research and Development Institute of the Government of Malaysia. According to F-Secure, the Government of Malaysia confirmed that the certificate was legitimate and had been stolen 'quite some time ago.'"

quite some time ago?

[Moheeheeko]

We talking days? weeks? months? years? And why wasnt it immediately flagged as stolen?

Re:quite some time ago?

[DriedClexler]

And why is it both stolen AND a legitimate cert?

Also, who the hell actually installs software just because the Malaysian government signs it?

"Hm, I'm not sure I want to run this code ... seems like it could put my system at risk. Oh, wait, the Malaysian government signed it! What a fool I was to spend even a moment in worry!"

Re:quite some time ago?

[idontgno]

Also, who the hell actually installs software just because the Malaysian government signs it?

It's not "who", it's "what". As in "What operating system trusts signed <foo> more than unsigned equivalent?" As in "All of them."

A signed cert opens doors that most users aren't even aware of. Add to that (in this case) an existing remote arbitrary code execution exploit in unpatched vulnerable versions of Acrobat Reader 8, and you've got a lovely recipe for malware drive-by installation.

Re:quite some time ago?

[TClevenger]

I'd love to see a "NoScript" equivalent for CAs. Let ME decide if I should approve a certificate signed by the Hong Kong Post Office. (Yes, they're in there.)

Why isn't this certificate revoked?

The article makes no mention of the signing certificate being revoked. Why hasn't the signing certificate been revoked?

Re:Why isn't this certificate revoked?

[idontgno]

I imagine it wasn't reported for revocation because (A) some bureaucrat would have to publicly 'fess up to a nasty boo-boo, and (B) that might inconvenience legitimate users of that certificate chain and (C) make lots of extra work for the fellow bureaucrats to replace the poisonous certificate and publicize its replacement in the using public.

So, yeah. Allowing the certificate to glimmering is obviously the better solution. There's no downside as long as no one uses the stolen certificate for evil purposes. And if they do, there's probably enough plausible deniability to buy time to do the revocation only when it's absolutely necessary, like buying fire insurance while the roof is burning.

"gaps in the security of digital certificates"

[Monkier]

So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.

Re:"gaps in the security of digital certificates"

[putaro]

No, the gap is that there are too many trusted parties and when some idiot on the other side has a security breach it is affecting people everywhere.

It is not theft

[houghi]

It is copyright infringement.

Revocation List?

[Logarhythmic]

Isn't this precisely what certificate revocation lists are for?