Let's, for a moment, get into the mind of a cyber criminal:
Say you have a malicious executable that steals sensitive data (creditcard numbers, credentials, etc.), which you would like to execute on compromisedcomputers. You put lots of efforts into developing the Trojan, and you want tostay under the radar as much as possible. You know that when an unsigned executable or an executable signed by an untrusted certificate is executed, it alertsthe user with alerts similar to the following samples:
Executed via browser:
Or if opened via windows explorer:
You also know that there are even some security productsthat block unsigned or untrusted binaries.
To stay on the safe side and increase your chancesof success, you want to sign the malicious exe file with a trusted certificate.
But where can you find a trusted certificate youcan use to sign the malicious file?
It's quite obvious that applying for a certificate from oneof the trusted CAs (Certificate Authorities) is not realistic since you have toidentify yourself to the CA and later that identity will be attached to thefile. Attaching your identity to malwareis, well, not recommended.
You've also heard of APT campaigns such as Stuxnet and Duquthat used signed executables and trusted certificates. But the authors behindthese campaigns were obviously resourceful enough to overcome this problem with methods not available to the average criminal.
So what could our average Joe criminaldo in order to resolve this "problem"?Not surprisingly, the underground hacking forums occasionally presentsome forbidden fruits for sale. A few days ago we came across a post in one ofthose forums selling two valid certificates:
"Got two trusted certificates for signing exe.
The first is valid until December 2013 - 700 WMZ.
The second is valid until March 2015 – 900 WMZ.
People who don't know what to do with them or people whoare only willing to pay a small price – don't bother me.Jabber: ####..."
Later in the thread the owner of the certificates added additionaldetails about them:
- The certificates were issued by Comodo and VeriSign.
- VeriSign's certificate is valid until December 18th 2013
- Comodo's is valid until March 13th 2015.
Both of them were already sold by the time we got to this thread.
Seeing valid certificates from well-known CAs up for sale is always surprisingand the price is even more surprising: only ~$700 for the first certificate. Maybe stolen certificates are not as rare as we thought?
We don't know where this guy got the stolen certificatesfrom, but we can share some of our educated guesses. The most common way involves aTrojan installed on some unsuspecting certificate owners' machines.
A recent example we bloggedabout is the Pony Trojan:
That is a print screen of the Pony 1.9 controlpanel. One of the statistics lines shows the number of successfully stolencertificates.
And here is a code snippet of the Trojan, which isresponsible for grabbing the certificates from the affected machine:
The GrabCertmethod is using some crypt32.dll methods to extract the certificates. The MyCertOpenSystemStoremethod is responsible for opening the certificate store. The call to MyCertEnumCertificatesInStoremethod is made for retrieving a certificatefrom the certstore. The Trojan goes over all the certificates in the certstoreusing a ".WHILE TRUE" loop.
These certificates are later dispatched to the C&Cserver together with additional data that was leeched from the affectedmachine.
Who knows? Maybe one of those stolen certificates is later foundfor sale in a forum for 700 WMZ?
I would like to thank my colleagues Arseny Levin and AnatDavidi for their help with the research put into this blog.