Phony Antivirus Software Pushers Have New Trick Up Their Sleeve


Cybercriminals pushing rogue antivirus software now have a better chance of infecting systems with malware, following detection of their use of stolen digital certificates.

ThreatTrack Security researchers found that the Winwebsec malware family, which pushes rogue antivirus sofware, has been using stolen digital certificates, said Dodi Glenn, director of security intelligence at Clearwater, Fla.-based ThreatTrack Security.

ThreatTrack released its findings Wednesday, reporting that the certificates were stolen from Source Medical Solutions, a maker of medical management, billing and clinical software for specialty hospitals; Ohanae, a cloud management software maker; and FirsTech, a payment processing provider in Illinois.

Stolen certificates enable attackers to make malware look legitimate on a victim's PC and can dupe antivirus detection engines. They also can increase the threat level of malware because they give the malicious code root authority, making it appear as legitimate software on a system. Two of the certificates have been revoked, but Glenn said two other recently detected certificates remain active and have been submitted to VeriSign for revocation.

[Related: 10 Trending Cyberthreat Attacks In 2013]

"The interesting thing is that people don't treat these like golden keys to the kingdom, and they should," Glenn told CRN. "They should be walled off and locked down from anyone on the outside."

It's very likely that the certificates were swept up in a broad attack carried out by cybercriminals attempting to steal FTP credentials and other data, Glenn said. Once stolen, the certificates are sold in hacking forums, sometimes to the highest bidder.

Stolen software code signing certificates increasingly are being used by attackers. In its latest threat report, McAfee said signed malware, which poses as approved legitimate software, continues to set records, increasing by 50 percent in the second quarter of 2013.

Stolen certificates were used by the cybercriminals responsible for the Bit9 data breach in February. The attackers used the stolen certificates to target several other Bit9 customers before the breach was detected and the certificates were revoked. Last year, Microsoft revoked code signing certificates used in the Flame attacks, a targeted nation-state surveillance campaign.

As a best practice, software publishers should be using strong security controls to protect the keys used for code signing certificates that verify the validity of their applications, Glenn said. Access to the private keys should be minimized and storage of the keys protected with encryption, he said.

According to Microsoft's latest Security Intelligence Report, Winwebsec malware family infections were the most-encountered malware infections in the beginning of 2013. Detection of the malware has decreased since 2012, Microsoft said.

Winwebsec uses prevalent antivirus brand names to make it appear to the user that it is legitimate software. Names seen by Microsoft include Antivirus Security Pro, AVASoft Professional Antivirus, Smart Fortress 2012 and Win 8 Security System. The attackers behind the rogue antivirus software also are believed to be responsible for the Mac Defender rogue security software program detected on Apple Mac OS X systems in 2011, Microsoft said.

"These different distributions of the Trojan use various installation methods, with file names and system modifications that can differ from one variant to the next," Microsoft said in its report.

PUBLISHED OCT. 30, 2013