Initial analysis done by Peter Kruse and Yuriy Khvyl
The underground economy has found many ways to monetize data stolen from infected hosts. One, amongst many, is to sell legitimate signing codes, which then can be used to digitally sign executables and scripts to confirm the software author.
In the antivirus- and security industry in general, code signing has been used to confirm the integrity of a file and oftentimes is considered proof enough that an application is legitimate based on the valid digital signing. Several of my colleagues working in the security industry have already expressed concern that digitally signed files are likely to be trusted by security software vendors. These files are often automatically whitelisted and thus not necessarily being detected as malicious even though they are.
The fact that code sign binaries can evade detection is naturally being exploited by it-criminals collecting valid code signing certificates from compromised sources and abusing these to sign malware.
Recently, we observed how certificates were being sold on various underground forums (translated from Russian):
Selling stolen certificates for signing exe
I have two trusted certificates for signing exe
- Verisign, Expires at 18 December 2013 – 700$
- Comodo , expires at march 2015 – 900$
Jabber : firstname.lastname@example.org
Sell both for $1500 .gleos
2 Comodo , and 1 UTN-USERFirst-Object , one for $600, $1500 for all
1 Verisign – 600$
The signed »LoadMoney« greyware
Although »LoadMoney« has nothing to do with the above offer to sell stolen certificates, we have also seen a fairly large campaign involving many with signed certificates issued to mail.ru. A lot of these appear to be the result of some sort of strange partnership, but that clearly doesn't change the fact that the code will potentially download unwanted software.
We have already analyzed a lot of samples and they are all signed using several certificates issued to LLC Mail.ru by Thwate.
A few MD5s:
Besides from the code being binded (consists of several files in one) it subsequently also connects to various domains from where it downloads and automatically installs tool bars and malware. So the primary problem is that partners of mail.ru are allowed to sign binary code which then downloads additional components. Since these components are automatically downloaded from various domains, out of the control of mail.ru, the content can dynamically be changed at any time and easily turn into something bad. This is the case for most of the analyzed »Loadmoney« samples we have examined.
Btw, this is not the first time we have seen malware being signed with code from LLC Mail.ru. The same was a problem even back in mid Marts 2013:
Some statistics showing how the »converts« succeed can be found below:
At that time, around May-June, Mail.ru apparently changed the partner program and closed some accounts and loopholes, but somehow the bad guys have found a new way to abuse the partnership program. Our investigation shows a clear connection with profitraf.ru and loadmoney.ru. Both are affiliates of mail.ru and thus capable of signing the downloader which can basically point at any URL specified by the user/account.
Well, need we say more? This calls for problems as this cannot easily be controlled. And to prove our point we even created an account, signed a downloader, which when executed will serve up ZeuS. Yes, we are allowed to serve up pretty much everything we like. We shall explain this in details in a follow up blog post being published later.
Needless to say that 2013 was also fully packed with digitally signed APTs (Advanced Persistent Threats) used in targeted attacks. The digital signing is yet again being implemented to circumvent security software but also to install as drivers on Microsoft Windows. We have little doubt that this trend will continue in 2014.