Bogus digital certificates have been popping up here and there over time as malware authors rely on Secure Sockets Layer (SSL) more and more to sneak past intrusion detection and protection systems and content scanners. Switzerland’s Abuse.ch has created a repository of helpful information for infosecurity professionals, the SSL Blacklist (SSLBL), which keeps a running, public tally on certificates that have been associated with malware.
An open source intrusion detection/prevention system known as Suricata is being developed and maintained by the Open Information Security Foundation (OISF); it comes with is an SSL/TLS module that is able to fingerprint SSL/TLS certificates.
“Since some malware families switched from plain HTTP to HTTPS recently, I decided to maintain and publish a collection of SHA1 fingerprint associated with bad SSL certificates,” the Abuse.ch administrator said in introducing the system.
The list for now shows about 125 certificates that are being used by botnets, malware campaigns and banking trojans.
“The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities,” the organization said in a post. “Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule forma. SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock.”
The move comes as certificates and the certificate authority (CA) system has been called into question.
“Thanks to modern cryptography, browsers can usually detect malicious websites that are provisioned with forged or fake SSL certificates,” explained a group known as Certificate-Transparency (CT). “However, current cryptographic mechanisms aren’t so good at detecting malicious websites if they’re provisioned with mistakenly issued certificates or certificates that have been issued by a certificate authority that’s been compromised or gone rogue. In these cases, browsers see nothing wrong with the certificates because the CA appears to be in good standing, giving users the impression that the website they’re visiting is authentic and their connection is secure.”
This is the case in the recent move by Microsoft to revoke improperly issued SSL certificates that could be used in attempts to spoof Google and Yahoo! content, perform phishing attacks or perform man-in-the-middle (MiiM) attacks against Windows users.
The software giant said in its advisory that SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA). Microsoft said that the subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. Subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.
“One of the problems is that there is currently no easy or effective way to audit or monitor SSL certificates in real time, so when these missteps happen (malicious or otherwise), the suspect certificates aren’t usually detected and revoked for weeks or even months,” explained CT. “What’s more, these types of SSL missteps are occurring with increasing frequency. Over the past few years there have been numerous instances of mis-issued certificates being used to spoof legitimate sites, and, in some case, install malicious software or spy on unsuspecting users.”