ID: IRCNE2013122051
Date: 2013-12-20
According to “ComputerWorldUK”, A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.
The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."
Digital certificates, issued by Certification Authorities (CAs), are used by developers to "sign" software programs, which can be cryptographically checked to verify that a program hasn't been tampered with and originates from the developer who claims to write it.
If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.
The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued "by a number of different CAs to software developers in various locations around the world," the company wrote.
The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.
Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organisation or an entity that issues the certificates.
One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating "that the malware's distributors are regularly stealing new certificates, rather than using certificates from an older stockpile."
Microsoft noticed another fake antivirus program, which is called "Win32/FakePav," is also rotating stolen certificates.
- 2