back to article Bank-raid ZeuS malware waltzes around web with 'valid app signature'

A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, …

COMMENTS

This topic is closed for new posts.
  1. Mikel

    Whose signature?

    Code signing requires that the authority who granted the certificate knows who signed the executable. Otherwise it wouldn't be a "signature" at all, would it? Should be easy to tell who from the key revocation announcement.

    1. Peter2 Silver badge

      Re: Whose signature?

      At the time of writing, as so far as I can see it's still a valid certificate.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Whose signature?

      Correct - Comodo alleges the signing key belongs to Isonet AG, based in Switzerland.

      C.

      1. Peter2 Silver badge

        Re: Whose signature?

        Oh, i'm not doubting that's correct. But at this point, the key is quite obviously compromised and imo should be revoked.

  2. Roger Stenning

    Name and shame?

    So that the rest of us know who screwed the security pooch?

    1. Ole Juul

      Re: Name and shame?

      I wouldn't discount sloppiness in this case, but I'm sure some crook would offer money for a valid app signature.

  3. artbristol

    Isonet have some explaining to do

    It's their signing key that was used, according to the linked Comodo blog post.

  4. AlbertH
    Big Brother

    The validity of Windows signatures has long been suspect. It's just that the suspicions are now supported by facts.

    Moral? Don't use Windows for anything to do with finances, business or personal communications. It might be OK for games, but watch out for those in-game purchases!

    1. PNGuinn
      Black Helicopters

      Agreed, I use a Linux live distro for anything secure. Set the distro up to block ads etc, remaster as necessary. Make sure it runs totally in menmory, no Hds etc mounted.

      Visit site, transact business, log out, reboot. For something like Puppy or its variants make sure there's no Savefile to save your settings etc for next time.

      PITA I know but a little paranoia can be a good thing.

    2. MNB

      The problem is not with indows signature validation though is it?

      The issue, as I see it (& please correct me if I am wrong), is a developers signature credentials (private key, or password for same, and the cert) have been knicked and now are in the hands of malware authors, without the certificate authorities revoking the certificate.

  5. Anonymous Coward
    Anonymous Coward

    Bank-account-raiding ZeuS Trojan

    Ban this LEnix malware immediately ..

  6. Destroy All Monsters Silver badge
    Headmaster

    Dammit El Reg

    This cert should be kept a closely guarded secret.

    No, the private key should be kept a closely guarded secret.

  7. JassMan Silver badge
    Trollface

    Given the validation process on the xBox for checking passwords, perhaps the name on the certificate is a red herring. Perhaps windows doesn't even check the certificate if the downloaded file is unencrypted but just says it is. Has anybody checked?

    Microsoft - so secure that a 5year old can crack it.

    http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/

  8. Nile

    Talking 'bout a Revocation

    Someone's cert has been stolen. And, presumably, their keys to other things as well...

    That's their problem. It's our problem - and your problem, and Microsoft's problem, if the Certificate Revocation mechanisms aren't working.

    ● Is this about a certificate not being revoked?

    ● Or is it all about Windows failing to check the cert before installing?

    If the cert isn't beng revoked, we might just see if certificate authority can be withdrawn, or or blacklisted as untrustworthy; or just waved through, move along, nothing to see.

    And as for a major OS vendor's installer failing to check for revocation and act on it - that's *unthinkable*. Said Paris, because all serious remarks on the The Register are parody.

  9. FlipperofFury

    Shameless

    Comodo first learnt about this attack by having their PKI hacked and certificates used to sign the flame malware mentioned in the article.

    http://en.wikipedia.org/wiki/Comodo_Group#2010_Affiliate_Registration_Security_Breach

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022