False Digital Certificate Signature Validates Malware; Kaspersky

Kaspersky the security company recently found a malicious program floating across the Web which it recognized as Trojan.Win32.Mediyes and also which carried one digital certificate issued from VeriSign, published InfosecIsland.com dated March 16, 2012.

Understandably, some 5,000-or-more computers have been infected with Mediyes, with the majority located in Western Europe -an explanation attributed to the filched digital certificate being the item of a Swiss firm while the C&C (command-and-control) server having its base in Germany.

Security specialist Vyacheslav Zakorzhevsky from Kaspersky reports that there's been an identification of many dropper files, which carry signatures dated from the period December 2011 to March 7, 2012. Also for these files, a certificate has been utilized from Conpavi AG the Swiss firm, which believably works with the cantons and municipalities of the Swiss government, blogged SECURLIST dated March 15, 2012.

Reportedly, there's a driver accompanying the dropper for the 32-bit version that's automatically loaded to the infected computer's driver directory and once that's done, the malware eliminates itself. The driver doesn't carry the signature still it manages to manipulate the 32-bit Windows OSs.

Now there are 2 primary functions of the driver (Rootkit.Win32.Mediyes) i.e. to insert one DLL file identified as Trojan.Win32.Mediyes inside any process running within the browser, as well as to keep Mediyes out-of-sight.

And once the browser is infected, it becomes possible to change all the search requests on Bing, Yahoo and Google for the cyber-criminals' own. These criminals then execute a Pay-Per-Click scheme named Search 123 and reap cash whenever an end-user performs a search.

Meanwhile during 2011-spring, Avira a security solutions vendor detected a ZeuS Trojan sample which carried one digital certificate signature, while many-a-times, researchers spotted Zeus variants having counterfeit Avira or Kaspersky digital signatures.

Moreover, one fake SSL certificate supposedly from Google became evident that possibly was used during a ruse Iran's government carried out for executing Man-in-the-Middle assaults.

Senior E-Threat Analyst Bogdan Botezatu from BitDefender an anti-virus provider said that malware-creators got installers signed in addition to drivers, as certain AV programs didn't doubt the digitally-signed installers and so left them free of scan. ComputerWorld.com published this on March 15, 2012.

Related article: Flaws Detected in Yahoo Music Jukebox

» SPAMfighter News - 3/26/2012