Let’s, for a moment, get into the mind of a cyber criminal:
Say you have a malicious executable that steals sensitive data (credit card numbers, credentials, etc.), which you would like to execute on compromised computers. You put lots of efforts into developing the Trojan, and you want to stay under the radar as much as possible. You know that when an unsigned executable or an executable signed by an untrusted certificate is executed, it alerts the user with alerts similar to the following samples:
Executed via browser:
Or if opened via windows explorer:
You also know that there are even some security products that block unsigned or untrusted binaries.
To stay on the safe side and increase your chances of success, you want to sign the malicious exe file with a trusted certificate.
But where can you find a trusted certificate you can use to sign the malicious file?
It’s quite obvious that applying for a certificate from one of the trusted CAs (Certificate Authorities) is not realistic since you have to identify yourself to the CA and later that identity will be attached to the file. Attaching your identity to malware is, well, not recommended.
You’ve also heard of APT campaigns such as Stuxnet and Duqu that used signed executables and trusted certificates. But the authors behind these campaigns were obviously resourceful enough to overcome this problem with methods not available to the average criminal.
So what could our average Joe criminal do in order to resolve this “problem”?Not surprisingly, the underground hacking forums occasionally present some forbidden fruits for sale. A few days ago we came across a post in one of those forums selling two valid certificates:
“Got two trusted certificates for signing exe.
The first is valid until December 2013 - 700 WMZ.
The second is valid until March 2015 – 900 WMZ.
People who don’t know what to do with them or people who are only willing to pay a small price – don’t bother me.Jabber: ####...”
Later in the thread the owner of the certificates added additional details about them:
- The certificates were issued by Comodo and VeriSign.
- VeriSign's certificate is valid until December 18th 2013
- Comodo's is valid until March 13th 2015.
Both of them were already sold by the time we got to this thread.
Seeing valid certificates from well-known CAs up for sale is always surprising and the price is even more surprising: only ~$700 for the first certificate. Maybe stolen certificates are not as rare as we thought?
We don’t know where this guy got the stolen certificates from, but we can share some of our educated guesses. The most common way involves a Trojan installed on some unsuspecting certificate owners' machines.
A recent example we blogged about is the Pony Trojan:
That is a print screen of the Pony 1.9 control panel. One of the statistics lines shows the number of successfully stolen certificates.
And here is a code snippet of the Trojan, which is responsible for grabbing the certificates from the affected machine:
The GrabCert method is using some crypt32.dll methods to extract the certificates. The MyCertOpenSystemStore method is responsible for opening the certificate store. The call to MyCertEnumCertificatesInStore method is made for retrieving a certificate from the certstore. The Trojan goes over all the certificates in the certstore using a “.WHILE TRUE” loop.
These certificates are later dispatched to the C&C server together with additional data that was leeched from the affected machine.
Who knows? Maybe one of those stolen certificates is later found for sale in a forum for 700 WMZ?
I would like to thank my colleagues Arseny Levin and Anat Davidi for their help with the research put into this blog.