{"id":4276,"date":"2013-12-16T13:52:57","date_gmt":"2013-12-16T18:52:57","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=4276"},"modified":"2013-12-16T13:52:57","modified_gmt":"2013-12-16T18:52:57","slug":"bogus-av-program-uses-12-stolen-digital-certificates-to-make-the-malware-look-legit","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/12\/16\/bogus-av-program-uses-12-stolen-digital-certificates-to-make-the-malware-look-legit\/","title":{"rendered":"Bogus AV program uses 12 stolen digital certificates to make the malware look legit"},"content":{"rendered":"<p>A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.<\/p>\n<p>The application, branded as \u201cAntivirus Security Pro,\u201d was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, \u201cWin32\/Winwebsec.\u201d<\/p>\n<p>Digital certificates, issued by Certification Authorities (CAs), are used by developers to \u201csign\u201d software programs, which can be cryptographically checked to verify that a program hasn\u2019t been tampered with and originates from the developer who claims to write it.<\/p>\n<p>If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2080620\/bogus-antivirus-program-uses-a-dozen-stolen-signing-certificates.html\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/12\/id-2080620-certificates-100160470-large.jpg\" \/><\/a><\/p>\n<p>It&#8217;s a trap!<\/p>\n<p>The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued \u201cby a number of different CAs to software developers in various locations around the world,\u201d the company wrote.<\/p>\n<p>The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.<\/p>\n<p>Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.<\/p>\n<p>One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating \u201cthat the malware\u2019s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.\u201d<\/p>\n<p>Microsoft noticed another fake antivirus program, which is called \u201cWin32\/FakePav,\u201d is also rotating stolen certificates.<\/p>\n<p>Win32\/FakePav has gone by more than 30 other names since its detection around 2010. It didn\u2019t use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.<\/p>\n<p>To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.<\/p>\n<p>\u201dNot only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company\u2019s reputation if it is used to sign malware,\u201d the company wrote.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2080620\/bogus-antivirus-program-uses-a-dozen-stolen-signing-certificates.html\" target=\"_blank\">Bogus AV program uses 12 stolen digital certificates to make the malware look legit | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9,10],"tags":[278,655],"class_list":["post-4276","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-digital-certificates","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-16Y","jetpack-related-posts":[{"id":7608,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software\/","url_meta":{"origin":4276,"position":0},"title":"VirusTotal tackles the tricky false positives problem plaguing antivirus software","author":"NCCT","date":"February 12, 2015","format":false,"excerpt":"VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs. False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":4276,"position":1},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8742,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/09\/microsoft-may-block-sha1-certificates-sooner-than-expected\/","url_meta":{"origin":4276,"position":2},"title":"Microsoft may block SHA1 certificates sooner than expected","author":"NCCT","date":"November 9, 2015","format":false,"excerpt":"Encrypted sites running old certificates will be inaccessible from modern browsers. By Zack Whittaker for Zero Day While about one-in-four encrypted websites are still using weak security certificates, Microsoft is considering taking matters into its own hands. With the possibility of an attack becoming ever more possible, the software giant\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3175,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/13\/security-team-pries-open-secrets-of-chinese-hacker-gang\/","url_meta":{"origin":4276,"position":3},"title":"Security team pries open secrets of Chinese hacker gang","author":"NCCT","date":"August 13, 2013","format":false,"excerpt":"A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers. The remote-access Trojan, or RAT, tagged as \"Comfoo\"\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":5750,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","url_meta":{"origin":4276,"position":4},"title":"One-click test finds Gameover Zeus infections on PCs","author":"NCCT","date":"June 11, 2014","format":false,"excerpt":"Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week. The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5958,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/10\/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users\/","url_meta":{"origin":4276,"position":5},"title":"Crypto certificates impersonating Google and Yahoo pose threat to Windows users","author":"NCCT","date":"July 10, 2014","format":false,"excerpt":"People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties. A blog post published Tuesday by Google security engineer Adam Langley said\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/disguise-kit-640x728.jpg?resize=525%2C300 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=4276"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4276\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=4276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=4276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=4276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}