Fake Certificates for Police Trojans

Monday, November 26, 2012 @ 04:11 PM gHale


Ransomware just keeps getting better and better, which is bad news for users trying to figure out how to stay one step ahead.

Why shouldn’t it get better? After all, attackers continue to make millions of dollars a year on the malware. Like any product, once it gets a little tired, it just needs a little boost to continue gaining marketshare and more profits.

RELATED STORIES
DNS Records Hacked
Best Practices for DKIM Hole
Email Signature Holes Fixed
Weak Crypto Keys Fixed

At first, attackers incorporated audio files which play the threat message. Now, to ensure their product has a better chance of evading digital signature checks, attackers signed them with fake certificates, said researchers at Trend Micro, who have come across samples, identified as TROJ_RANSOM.DDR, both signed with a suspicious name and issued by a suspicious provider.

One of the samples relies on the FBI to scare users into paying a fine if they want to see their computers unlocked, while the other one uses the reputation of the UK’s Police Central e-Crime Unit.

The newer variants lock up computers and threaten victims with messages based on their geographic location. The language used to demand the payment of fines ends up adapted and so is the name of the law enforcement agency.

Over the past years, cyber criminals have started relying more and more on expired or fake digital certificates. Unfortunately, this doesn’t apply only to ransomware, but to all sorts of malware.

Flame utilized certificates to sign some of its components and, more recently, even Adobe-issued certificates were used to sign malicious utilities.



Leave a Reply

You must be logged in to post a comment.