Posted on February 22, 2013 8:20 pm

Certified online banking trojan in the wild

Jean-Ian Boutin, who works for AV firm Eset, has discovered trojans that carry a valid digital signature. This potentially allows online banking spyware to pass superficial tests as harmless. Apparently, the certificate in question was issued by the DigiCert Certificate Authority – to a company that ceased to exist a long time ago.f71359d5cc04e6ac

A valid signature from a company called “NS Autos” confirmed the origin of a range of programs that, on close analysis, turned out to be trojans, at least some of them specialising in online banking fraud. While a company called NS Autos did once exist, it was liquidated in 2011. Apparently, that didn’t stop the DigiCert Certificate Authority from issuing a valid certificate for signing executable programs to the company on 19 November 2012. The certificate was only revoked when Eset reported the discovery.

The existence of a digital signature doesn’t generally say anything about its level of security. Nevertheless, digital signatures are often a prerequisite for certain potentially dangerous activities. What’s more, many warnings are formulated in a much less alarming way if the presumed issuer is known. Finally, it is common practice in analysis at least to initially exclude digitally signed programs, for example when performing the time-consuming task of manually checking a potentially infected PC.

The time when we could assume that digitally signed programs are “somehow ok” has, therefore, definitely come to an end. The question is whether there should come a time when we stop trusting that Certificate Authorities will adequately check the identity behind a certificate. After all, DigiCert only recently issued a valid certificate to a bogus company in Brazil.