Adobe Signing Certificates Commandeered For Malicious Utilities


Adobe has announced the discovery of a pair of malicious utilities that appear to be using a valid Adobe code signing certificate.

Both utilities are believed to come from the same source, according to a blog posted by Brad Arkin of the Adobe Secure Software Engineering Team, which suggests the certificates might have been used in an APT.

"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," wrote Arkin. "As a result, we believe the vast majority of users are not at risk. We have shared the samples via the Microsoft Active Protections Program (MAPP) so that security vendors can detect and block the malicious utilities."

[Related: 7 Deadly Sins of Information Security]

According to the Adobe blog, one of the malicious utilities, known as "pwdump7 v7.1," extracts password hashes from Windows and sometimes statically links the OpenSSL library libeay32.dll. "The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter."

After an initial assessment of the first sample, Adobe decommissioned its signing infrastructure and began constructing a clean-room interim infrastructure for re-signing components that were originally signed with the impacted key after July 10. Human verification is being used to double-check all files to ensure that the signatures are valid while a new permanent signing solution is developed. Meanwhile, a forensic investigation is underway.

Current evidence points to a compromised build server that did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service. The company has discovered malware on the build server that was likely the initial incursion used to support standard advanced persistent threat (APT) tactics.

According to the blog, "the build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR. We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account. There is no evidence to date that any source code was stolen."

The revocation of the impacted certificate is planned for Oct. 4. Customers are being referred to the Adobe support page for information on what corrective steps, if any, should be taken. Adobe says most customers will not notice anything out of the ordinary during the revocation process.

Arkin added that this situation "only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms."

PUBLISHED SEPT. 27, 2012