A false antivirus program in the wild uses no less than a dozen compromised digital code-signing certificates, indicating hackers are increasingly breaching the systems of software developers, Microsoft wrote on Sunday.
The program, calling itself “Antivirus Security Pro” was detected in 2009 and has had a handful of different names over the years, according to a Microsoft security advisory, which labels it with only one name, “Win32/Winwebsec.”
Digital certificates, issued by Certification Authorities (CAs), are widely-used by programmers to “sign” software packages, which can be cryptographically checked to confirm that a application hasn’t been interfered with and comes from the developer who claims to write it.
But, if a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, making it look like the applications originated from an authorized developer.
The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued “by a number of different CAs to software developers in various locations around the world,” the company wrote.
The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, in accordance with a chart.
Using stolen certificates is not a new tactic, but it is usually deemed difficult to achieve since hackers have to either breach a business or an organization that issues the certificates.
One of the certificates was issued just 72 hours before Microsoft acquired samples of Antivirus Security Pro using it, indicating “that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.”
Microsoft discovered another fake antivirus program, which is known as “Win32/FakePav,” is also using stolen certificates.
To avoid problems, software developers should protect the private keys used for code-signing on securely-stored hardware devices for instance smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.
”Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware,” the company mentioned.
