Brazilian Trojan Issued Digital Certificate; Revoked Later

Wikipedia defines a digital certificate as ‘an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.’

In the case of software, it is used to ensure that the software is what it claims. Operating Systems use digital certificates to make sure that an application that is being installed is valid. But what if the digital certificate is obtained by giving fake information?

There have been cases in the past were malware authors used stolen digital certificates for their rogue apps. But according to a report from Kaspersky, a group of Brazilian Trojan authors was able to obtain genuine certificates from Comodo by using fake data.

The authors used a fake company name gastecnology.org for obtaining the certificate. As shown in the Securelist blog, a simple DNS lookup of that particular domain name gives use some clues as to the veracity of that company.

Firstly, the email address used to register the account is a free Yahoo Mail account and secondly, the phone number as well as the address provided was fake.

After obtaining the digital certificate, the malware authors used an extensive email campaign to spread the malware. The certificate has been revoked since then and the application is now flagged as malware.

Although the certificate was revoked, the big question here is why the certificate was allowed in the first place. Since digital certificate plays an integral part in verifying the validity of an application, signing an application should be only done after verifying the submitted data which was not the case here. Hopefully certification authorities will be more careful after this incident.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>