Be a real security pro – Keep your private keys private

One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication credentials to sign their own files, malware distributors are able to make it appear that their files have come from a more trustworthy source.

Since then, malware signed with poorly secured or stolen credentials has been relatively rare. Most digitally-signed malware uses code-signing certificates that have been paid for and obtained directly from the certification authority (CA) that issued them. These CAs would be unaware the certificates were intended to be used for nefarious purposes. For example, recently the fake antivirus family Rogue:Win32/FakePav reappeared after being inactive for more than a year. Prior to the period of inactivity, FakePav’s executables were not digitally signed, but the new variants have been. After a few days using a single certificate, FakePav switched to a different certificate, issued in the same name as the previous one, but by a different CA.

However, in the past month or so, the use of stolen certificates has become more common. In particular, Rogue:Win32/Winwebsec, another rogue calling itself Antivirus Security Pro, has been distributed signed with credentials stolen from at least twelve different software developers.

Antivirus Security Pro user interface

Figure 1: Antivirus Security Pro user interface

A related family, TrojanSpy:Win32/Ursnif, has also been distributed with files signed using stolen credentials. We have observed Winwebsec downloading Ursnif, a trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of PWS:Win32/Fareit.

Fareit steals certificates

Figure 2: Fareit steals certificates

PWS:Win32/Fareit is a Trojan that mostly steals passwords from a user’s FTP client, but sometimes also downloads and installs other malware, such as Winwebsec and Win32/Sirefef.

Fareit infects computers, using stolen signed certificates

Figure 3: Relationship and interactions between Fareit, Sirefef, Winwebsec, and Ursnif families

The stolen certificates were issued by a number of different CAs to software developers in various locations around the world. The table below shows details of some of the certificates used to sign Winwebsec samples. Note that the number of samples column lists only the digitally-signed Winwebsec samples that we have a copy of – there may be many other samples that we have not received. But, it gives an idea of the magnitude of the problem. Interestingly, one of these certificates was issued only three days before we started seeing malware samples signed with it, which suggests that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.

Certificates used to sign Rogue:Win32/Winwebse

Figure 4: Certificates used to sign Rogue:Win32/Winwebsec samples

For those of you who are software developers, Microsoft has a document that describes the best practices for code-signing.  Although that document was written in 2007 and contains a few references to operating system tools that have since changed, all of the recommendations of appropriate security procedures for obtaining and storing code-signing certificates and private keys, and for digitally signing your software, remain as relevant as ever.

Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential. Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware. The document recommends keeping private keys physically secure by storing them on a securely-stored hardware device such as a smart card, USB token, or hardware security module. Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand.

If a system you use for signing has been infected with Win32/Fareit or other malware, and you suspect your private keys have been compromised, you should contact the CA that issued the credentials immediately.

David Wood


d330699f28a295c42b7e3b4a127c79dfed3c34f1 (PWS:Win32/Fareit with certificate stealing capability)
006c4857c6004b0fcbb185660e6510e1feb0a7a3 (Digitally-signed Winwebsec)


Comments (6)

  1. Hetti Arachchige V Aravinda says:

    Diagrams are pretty impressive..

  2. Daniel Wolf says:

    Thanks for this post. Could you please post MD5s along with the SHA1s?

  3. Josh Straub says:

    Very interesting piece. I send in a lot (hundreds easily) of malware samples to MMPC over the past 7 years but I've never heard back from anyone. Do you guys find my samples useful? I get the most excited when I can submit an obvious malware that comes from a fresh spam campaign that nobody is detecting yet.

    Strangely the last year I have had several MMPC submissions that never were processed/completed. They just stayed in the initial status state. Why is that? I can be reached if you take my first name and add it to the domain.

  4. Marc Ochsenmeier says:

    Anyone knows where can I find this sample? I wanted to have a look at it with PeStudio…

  5. Marc Ochsenmeier says:

    I love twitter, now I have these samples!

  6. none for now says:

    I have been hacked starting from2011 It is the same personal person Has had been in my computer at same time as me Has locked me out and so on. I could never report person because person lockes me out from internet No one has ever believed me. Is their
    a program to keep keystroked safe. This is the fist time I have heard any one say this. I have asked and asked. Person hacking me used my emails to get into my computer.. So what program or down load do I use to be saft their also. This key stroke keys and
    cradintials may be the answer.I have bought 5 computers trying to be safe and starting freash I thought .In 3 days this same person is in my computer again Person takes over and is the Owner of my computers. I can not change anything. Person Knows ever time
    I open up my computer with the cardeathidrial and or guest list and any new emails I pick .. I know who it is and no one cares to help me. . I need a program to stop this! Please if any one knows what to buy. HELP!