Stolen Certificates Attached To Fake Antivirus Programs

Rubber stamp 'fake'

Two malicious applications, Win32/Winwebsec and Win32/FakePav, have been in the wild for years, but are troubling security experts thanks to their recent development. Both are fake antivirus programs, which go by ever-changing more common names like ‘Antivirus Security Pro”. They were first discovered in 2009 and 2010 respectively, but as Jeremy Kirk of Network World reports, only recently they’ve been observed using stolen digital security certificates.

Digital certificates are granted by Certification Authorities, or CAs, so legitimate developers can sign their applications and users can cryptographically verify that the application comes from a trusted source. When criminals steal these certificates, it makes it more difficult to catch their malicious programs before they damage a user’s system.

This isn’t a new practice. These bogus antivirus applications only just started using it to slip past security, however. Even more troubling is the way certificates are being stolen. Samples of this malware have been found carrying certificates from a number of different CAs from all over the world. Some of the certificates being used were as little as three days old.

The age of certificates is interesting because it reveals evidence that hackers are regularly stealing new certificates. It’s an ongoing problem. Previously, it had been thought that since stealing certificates is so difficult, older certificates were being used from successful attempts from long ago. In reality, it appears hackers are more successful than originally thought.

CAs are able to revoke certificates once they’ve been discovered being used with malicious software, but malware like these fake antivirus programs replace certificates periodically to stay ahead.

This poses a problem for both users and developers. For developers, having certificates stolen damages their credibility and can be expensive to replace certificates. For users, it’s harder to tell if an application can be trusted or not, which can result in the loss of data or the infection of your device is you choose wrong.

If you’ve downloaded a malicious program and are suffering from a malware infection, call Geek Rescue at 918-369-4335. We’ll fix your machine and help you prevent future attacks.

December 16th, 2013