A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Saturday 5th April 2014 01:23 GMT Mikel

Whose signature?

Code signing requires that the authority who granted the certificate knows who signed the executable. Otherwise it wouldn't be a "signature" at all, would it? Should be easy to tell who from the key revocation announcement.

8 0
1. Sunday 6th April 2014 08:41 GMT Peter2
  
  Re: Whose signature?
  
  At the time of writing, as so far as I can see it's still a valid certificate.
  
  0 0
2. Sunday 6th April 2014 20:57 GMT diodesign
  
  Re: Whose signature?
  
  Correct - Comodo alleges the signing key belongs to Isonet AG, based in Switzerland.
  
  C.
  
  0 0
  1. Tuesday 8th April 2014 17:48 GMT Peter2
    
    Re: Whose signature?
    
    Oh, i'm not doubting that's correct. But at this point, the key is quite obviously compromised and imo should be revoked.
    
    0 0
Saturday 5th April 2014 02:27 GMT Roger Stenning

Name and shame?

So that the rest of us know who screwed the security pooch?

4 0
1. Saturday 5th April 2014 02:36 GMT Ole Juul
  
  Re: Name and shame?
  
  I wouldn't discount sloppiness in this case, but I'm sure some crook would offer money for a valid app signature.
  
  3 0
Saturday 5th April 2014 10:00 GMT artbristol

Isonet have some explaining to do

It's their signing key that was used, according to the linked Comodo blog post.

4 0
Saturday 5th April 2014 12:43 GMT AlbertH

The validity of Windows signatures has long been suspect. It's just that the suspicions are now supported by facts.

Moral? Don't use Windows for anything to do with finances, business or personal communications. It might be OK for games, but watch out for those in-game purchases!

4 5
1. Saturday 5th April 2014 18:50 GMT PNGuinn
  
  Agreed, I use a Linux live distro for anything secure. Set the distro up to block ads etc, remaster as necessary. Make sure it runs totally in menmory, no Hds etc mounted.
  
  Visit site, transact business, log out, reboot. For something like Puppy or its variants make sure there's no Savefile to save your settings etc for next time.
  
  PITA I know but a little paranoia can be a good thing.
  
  4 3
2. Monday 7th April 2014 10:44 GMT MNB
  
  The problem is not with indows signature validation though is it?
  
  The issue, as I see it (& please correct me if I am wrong), is a developers signature credentials (private key, or password for same, and the cert) have been knicked and now are in the hands of malware authors, without the certificate authorities revoking the certificate.
  
  2 0
Saturday 5th April 2014 17:51 GMT Anonymous Coward

Bank-account-raiding ZeuS Trojan

Ban this LEnix malware immediately ..

0 2
Sunday 6th April 2014 10:10 GMT Destroy All Monsters

Dammit El Reg

This cert should be kept a closely guarded secret.

No, the private key should be kept a closely guarded secret.

2 0
Sunday 6th April 2014 20:23 GMT JassMan

Given the validation process on the xBox for checking passwords, perhaps the name on the certificate is a red herring. Perhaps windows doesn't even check the certificate if the downloaded file is unencrypted but just says it is. Has anybody checked?

Microsoft - so secure that a 5year old can crack it.

http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/

2 0
Monday 7th April 2014 17:23 GMT Nile

Talking 'bout a Revocation

Someone's cert has been stolen. And, presumably, their keys to other things as well...

That's their problem. It's our problem - and your problem, and Microsoft's problem, if the Certificate Revocation mechanisms aren't working.

● Is this about a certificate not being revoked?

● Or is it all about Windows failing to check the cert before installing?

If the cert isn't beng revoked, we might just see if certificate authority can be withdrawn, or or blacklisted as untrustworthy; or just waved through, move along, nothing to see.

And as for a major OS vendor's installer failing to check for revocation and act on it - that's *unthinkable*. Said Paris, because all serious remarks on the The Register are parody.

0 0
Wednesday 9th April 2014 20:22 GMT FlipperofFury

Shameless

Comodo first learnt about this attack by having their PKI hacked and certificates used to sign the flame malware mentioned in the article.

http://en.wikipedia.org/wiki/Comodo_Group#2010_Affiliate_Registration_Security_Breach

0 0