September 13, 2010

threatwatch: 1st signs of attacks on certificates?

An Adobe PDF is being circulated in spam that exploits bugs in Adobe's Reader and/or Windows. The PDF itself is code-signed by a stolen certificate:

The attack, which has been spotted attached to e-mails touting renowned golf coach and author David Leadbetter, also includes a malicious file that's digitally signed with a valid signature from Missouri-based Vantage Credit Union.

VeriSign has revoked the signature, but the already baked malware will still carry what appears to be a valid digital signature, Wisniewski said.

Then, there's a hint of speculation that the expected users of the certificate will be fine. That is, people logging into the Vantage Credit Union will be facing a new certificate as soon as it is in place.

No mention of what happens to the people who aren't doing that, and when they can expect their fix, sometimes known as revocation.

[Wisniewski] compared the Reader zero-day exploit with the Stuxnet worm, which caused concern in July when it was discovered attacking industrial control systems at large manufacturing and utility companies. Symantec traced Stuxnet back to June 2009, with attacks likely beginning the following month, when hackers apparently stole digital certificate keys from a pair of Taiwanese software firms and then used them to sign two versions of the worm.

"This makes two [attacks] that have used valid certificates," Wisniewski said. "I'm starting to wonder if [hackers] aren't using other malware that's specifically targeting certificates and their keys."

One of the things that was very evident in the last decade as phishing rose up to challenge secure browsing, and now similar things like Money/Quicken "embedded" access over SSL, is this: why aren't more attacks simply stealing the certificates or buying them with bad intentions?

We theorised that the ordinary downgrade to HTTP was the best alternative. Crooks being economic, that is. This may be the first public signs of a shift or broadening to attacking the certificate itself. There have been private signs of worry for the last year or so.

Posted by iang at September 13, 2010 07:37 PM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.