Malware Using Fake Certificate to Evade Detection
Contributor: Hiroshi Shinotsuka
Malware authors are always seeking new ways to hone their craft. As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.
Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.
Figure 1. Word13.exe file signed by Adobe
Figure 2. Fake digital signature properties
But upon closer inspection we found something very interesting.
Figure 3. Fake signature and certificate
It’s fake, as the “Issued By” field says "Adobe Systems Incorporated" - Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted - another dead giveaway.
Figure 4. Legitimate Adobe signature and certificate
Symantec has protection in place and detects this file as Backdoor.Trojan.
Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.
It may create the following files:
- %UserProfile%\Application Data\ aobecaps \cap.dll
- %UserProfile%\Application Data\ aobecaps \mps.dll
- %UserProfile%\Application Data\ aobecaps \db.dat
It connects to the following command-and-control (C&C) server on port 3337:
This back door may then perform the following actions:
- Steal user and computer information
- Create folders
- Create, download, delete, move, search for, and execute files
- Capture screenshots
- Emulate mouse function
- Steal Skype information
To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.