The Inquirer-Home

Stolen Malaysian government certificate was used to sign malware

Not the official seal of approval you were expecting
Tue Nov 15 2011, 13:46

A STOLEN digital certificate once belonging to the Malaysian government has been used to sign malware.

Security outfit F-Secure came across a malicious PDF file laced with malware that contacts servers to download more malware. Finding a malicious PDF isn't particularly surprising, but what raised a few eyebrows was that it had a digital signature that was issued by a then valid certificate.

F-Secure's investigation found that the certificate was issued for the domain of mardi.gov.my run by the Malaysian Agricultural Research and Development Institute and issued by Digisign Server ID. According to the F-Secure, the Malaysian authorities said the certificate had been stolen "quite some time ago".

Malware that is digitally signed with valid certificates would not cause a warning message to appear when downloaded. F-Secure notes that some security systems might even trust the malware more than unsigned code, due to the trust placed on the authenticity of the signing certificate.

F-Secure confirmed that the certificate stolen from the certificate authority has now expired, which means warnings should appear. The firm's security software also detects the malware as Trojan-Downloader:W32/Agent.DTIW.

While the certificate is expired, questions should be asked of the Malaysian authorities as to the reason why the Malaysian government did not get in touch with Digisign Server ID to revoke the certificate if it knew of the theft. This latest incident is yet another blow to the credibility to the digital certification business after Comodo and Diginotar had widely publicised security breaches. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?