Zeus malware appears with fake digital certificate

Avira's researchers discovered the unusual version of Zeus when trawling their daily feed of malware samples from clients, and were amazed to discover that the certificate appeared to be one of its own.

According to Thomas Wegele, a virus researcher with the firm, digitally signed malware is an uncommon occurrence in IT security circles, so the version of Zeus – which is otherwise unremarkable – is a rarity.

Reporting on the discovery, Softpedia says that digitally signed malware is a relatively rare occurrence "because there are few options for malware authors to do it properly and it generally is not worth the trouble."

"One way is to steal a private digital key from a company and use it to sign the malicious code. This technique was used by the Stuxnet industrial sabotage worm to install a rootkit component on 64-bit versions of Windows," noted Lucian Constantin in his report.

Softpedia adds that the certificate used to sign the sample of Zeus was generated on February 10 and purports to be issued by VeriSign.

"However, the error message means that it doesn't match VeriSign's root certificate included in Windows, a clear sign that it's a fake", the newswire notes.

"This is not the first Zeus sample to forge the digital signature of an anti-virus vendor. Back in August, we reported about a variant which purported to be signed by Kaspersky Lab", the newswire adds.

 

What’s hot on Infosecurity Magazine?