A STOLEN digital certificate once belonging to the Malaysian government has been used to sign malware.
Security outfit F-Secure came across a malicious PDF file laced with malware that contacts servers to download more malware. Finding a malicious PDF isn't particularly surprising, but what raised a few eyebrows was that it had a digital signature that was issued by a then valid certificate.
F-Secure's investigation found that the certificate was issued for the domain of mardi.gov.my run by the Malaysian Agricultural Research and Development Institute and issued by Digisign Server ID. According to the F-Secure, the Malaysian authorities said the certificate had been stolen "quite some time ago".
Malware that is digitally signed with valid certificates would not cause a warning message to appear when downloaded. F-Secure notes that some security systems might even trust the malware more than unsigned code, due to the trust placed on the authenticity of the signing certificate.
F-Secure confirmed that the certificate stolen from the certificate authority has now expired, which means warnings should appear. The firm's security software also detects the malware as Trojan-Downloader:W32/Agent.DTIW.
While the certificate is expired, questions should be asked of the Malaysian authorities as to the reason why the Malaysian government did not get in touch with Digisign Server ID to revoke the certificate if it knew of the theft. This latest incident is yet another blow to the credibility to the digital certification business after Comodo and Diginotar had widely publicised security breaches. µ