Zero-Day Malware Drops Payloads Signed with a Forged Microsoft Certificate

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Security Websites are buzzing with news that a new zero-day exploit against Adobe Reader and Acrobat is circulating today, causing computers to become infected with malware simply by visiting certain Web pages. While the exploit itself is worthy of note, nobody is talking about the payload it downloads: It installs a trio of files dressed up to look like Windows system files which have been digitally signed with a security certificate supposedly issued by Microsoft. The digital signature gives the casual user the impression that the two signed files — an executable and a DLL both named “LNETCPL” — are legitimate Microsoft components.

The fake certificates appear in the properties sheets of both the installer and two of the three executable payloads dropped by the installer. One giveaway is that the sheet identifies the signer as Microsoft but lacks both an email address and a time stamp. Legitimate system files digitally signed by Microsoft identify the signer as Microsoft Corporation and always have a time stamp. The bogus signatures are identified as invalid, but only when you click the Details button on the Properties Sheet’s Digital Signatures tab.

A legitimate Microsoft-signed file is issued by the “Microsoft Code Signing PCA” certificate authority, and will also display a countersignature from Verisign; The fakes have no countersignature, and appear to have been issued by “Root Agency” — a made up name for a nonexistent certificate authority the malware creators are using to generate these files. In fact, the malware creators may actually be using Microsoft’s own Certificate Creation Tool (which is supposed to be used for testing) to facilitate generating these signed files.

While we’ve seen a number of digitally signed files come through our research queue over the years, authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way. It’s not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good. We’ve published a new definition to remove both the installer and these payload files; Trojan-Certispaz will be available to help our customers clean up infections in our next definitions update.

The digitally signed files are dropped by an installer that itself is retrieved from a Web server, in the course of a malicious Web site exploiting the new vulnerability. This file, named ab.exe, calls itself “Microsoft Explorer Basic Tools” in its properties sheet. It is sophisticated enough that it won’t run under a virtual machine, but that only means that we have to research the file on a real, instead of a virtual, computer.

Once it runs, the ab.exe installer leaves behind three executable files (the two mentioned above, and a third, LNETCPL.sys) inside the directory where Windows stores all its system files. It also sets up keys in the Windows Registry that cause the SYS and DLL to run under a service named “keydrvclass” and the EXE to run as an ActiveX control (which calls itself SystemBasicTools) in Internet Explorer. The DLL also calls itself “Windows NT Management Tools” in its properties sheet. These Registry keys share a common CLSID value of {05053de3-294c-12ce-1cdf-1bf4ce6cd741}.

One of the "invalid certificate" warnings

None of these files should be confused with the legitimate Windows file inetcpl.cpl, which is the file that loads the Internet Options control panel.

An example of a valid digital signature in a signed file

Besides these executable files, users of infected systems will also find two non-executable files — one named proc.aux; the other a file with a long name, containing the time and date and a .tmp extension (eg., ffffz200912151218bg.tmp), with its “hidden” flag set, so it appears greyed out in Windows Explorer — in the same folder as the other payloads.

In the meantime, until Adobe issues updates for Acrobat and/or Reader, you may wish to follow these instructions to disable Javascript within those applications.

wordpress blog stats

3 thoughts on “Zero-Day Malware Drops Payloads Signed with a Forged Microsoft Certificate

  1. Pingback: Plaats hier software gerelateerd nieuws! - Page 15

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s