copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Publications » AusCERT Web Log » Accepting Certificates
 

Accepting Certificates
Date: 18 June 2008

Click here for printable version

For a while now we have seen some malware authors attempt to use digital certificates to help the infection process. Looking further this could have larger consequences. However I am rushing forward a little too fast, so let me start from the beginning...

Recently we saw a malware sample known as "Rhifrem" from a phishing email run. We were not the only people who saw this activity and SecureWorks has an extremely good analysis.

To summarise the article (or at least the bits that I am interested in), the website did the following (all themed as the IRS, in-line with the phishing scam):

  1. Checked that you were running Internet Explorer (and asked you to update if you were not).
  2. Uses JavaScript to install a new root certificate in Internet Explorer claiming to be from "VeriSign Trust Network".
  3. Installs a malicious (Rhifrem) ActiveX control signed by that certificate.

Once the certificate is installed the ActiveX control will then either install itself automatically (if Internet Explorer is configured to installed signed ActiveX controls automatically), or (by default) present the user with a message saying:

    "Do you want to install and run 'Adobe Acrobat ActiveX Control' signed ... and distributed by Adobe Systems Incorporated. Publisher authenticity verified by VeriSign Trust Network"

This would cause most users I know to think that there is a pdf document and they need the correctly signed Adobe Acrobat "plug-in-thingey" to view it.

Then in a couple of days their AV would probably detect the problem and remove the problem. Case closed. Everything is OK again.

However...

That certificate would probably still be in their browser, and while unlikely, it could be used again for phishing websites and by future malware.

And before you start thinking that there is no chance of that happening, consider the following. There are many "companies" who provide pay-per-install software, why not pay per install root certificates? There are also many people selling phishing kits and malware. Would they pay more for malware that is signed by a root certificate? What about a phishing site signed with a root certificate?

So before you go installing a certificate in your browser - double check why you are doing it. There are very few reasons for needing to install a certificate in your browser. So if a website you don't know and trust attempts to install a certificate, make sure you say "no" to it.

Richard



Comments? Click here http://www.auscert.org.au/render.html?cid=7066&it=9466