{"id":4276,"date":"2013-12-16T13:52:57","date_gmt":"2013-12-16T18:52:57","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=4276"},"modified":"2013-12-16T13:52:57","modified_gmt":"2013-12-16T18:52:57","slug":"bogus-av-program-uses-12-stolen-digital-certificates-to-make-the-malware-look-legit","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/12\/16\/bogus-av-program-uses-12-stolen-digital-certificates-to-make-the-malware-look-legit\/","title":{"rendered":"Bogus AV program uses 12 stolen digital certificates to make the malware look legit"},"content":{"rendered":"

A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.<\/p>\n

The application, branded as \u201cAntivirus Security Pro,\u201d was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, \u201cWin32\/Winwebsec.\u201d<\/p>\n

Digital certificates, issued by Certification Authorities (CAs), are used by developers to \u201csign\u201d software programs, which can be cryptographically checked to verify that a program hasn\u2019t been tampered with and originates from the developer who claims to write it.<\/p>\n

If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.<\/p>\n

\"\"<\/a><\/p>\n

It’s a trap!<\/p>\n

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued \u201cby a number of different CAs to software developers in various locations around the world,\u201d the company wrote.<\/p>\n

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.<\/p>\n

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.<\/p>\n

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating \u201cthat the malware\u2019s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.\u201d<\/p>\n

Microsoft noticed another fake antivirus program, which is called \u201cWin32\/FakePav,\u201d is also rotating stolen certificates.<\/p>\n

Win32\/FakePav has gone by more than 30 other names since its detection around 2010. It didn\u2019t use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.<\/p>\n

To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.<\/p>\n

\u201dNot only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company\u2019s reputation if it is used to sign malware,\u201d the company wrote.<\/p>\n

via Bogus AV program uses 12 stolen digital certificates to make the malware look legit | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,9,10],"tags":[278,655],"class_list":["post-4276","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-digital-certificates","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-16Y","jetpack-related-posts":[{"id":9930,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/fbi-says-toss-your-old-router\/","url_meta":{"origin":4276,"position":0},"title":"FBI Says Toss Your Old Router","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/scR199zRjvA On Security Now, Steve talks about the FBI's suggestion that we should be tossing out our old routers.","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/scR199zRjvA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":4276,"position":1},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9884,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/12\/08\/how-emergency-vehicle-lights-can-trigger-digital-epileptic-seizures-in-self-driving-cars\/","url_meta":{"origin":4276,"position":2},"title":"How Emergency Vehicle Lights Can Trigger Digital Epileptic Seizures in Self-Driving Cars","author":"NCCT","date":"December 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/GVJSZAcXPqU In this segment from Security Now episode 1003, Steve Gibson and Leo Laporte explore the fascinating research revealing how emergency vehicle lights can induce \"digital epileptic seizures\" in self-driving cars, potentially leading to accidents. Watch the full episode for more on Microsoft's AI training practices, the Tor network's call\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/GVJSZAcXPqU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9902,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/tpm-2-0-is-not-required-for-windows-11\/","url_meta":{"origin":4276,"position":3},"title":"TPM 2.0 Is Not Required for Windows 11","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/yjjCbOOpREg On Security Now, Steve Gibson talks about Microsofrt dropping the TPM 2.0 requirement from Windows 11.","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/yjjCbOOpREg\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":4276,"position":4},"title":"Internal Bug Discovery – Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9428,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/10\/28\/all-the-presidents-phones-this-week-in-tech-690\/","url_meta":{"origin":4276,"position":5},"title":"All the President’s Phones – This Week in Tech 690","author":"NCCT","date":"October 28, 2018","format":false,"excerpt":"https:\/\/youtu.be\/pmfcU05twvo IBM buys Red Hat, worst Windows 10 ever, Right to Repair wins, and more. -- What's in store for Apple's big event this Tuesday? -- Tim Cook vs the \"data industrial complex\" -- Amazon's government controversies -- IBM buys Red Hat for $34 billion - the largest software purchase\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/pmfcU05twvo\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=4276"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4276\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=4276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=4276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=4276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}