Stolen Certificate Signs Java Exploit

Tuesday, March 12, 2013 @ 04:03 PM gHale

A malicious Java application, signed with a legitimate digital certificate, is on the website of the Chemnitz University of Technology in Germany, infected with g01pack Exploit Kit.

Security researcher Eric Roman has analyzed the malicious file, which poses as a “Java ClearWeb Security Update,” and found it signed with a digital certificate stolen from Texas-based Clearesult Consulting, Inc.

Ransomware Leverages Windows PowerShell
Hiding Code into JavaScript
Trojan a Work of ‘Poetry’
Ransomware Uses Java Zero Day

Go Daddy revoked the certificate on December 7, 2012. However, Oracle’s JAR signing and verification tool jarsigner validates the file despite the fact the certificate ended up revoked a bit ago.

In addition, the new security mechanisms implemented by Oracle don’t block signed apps unless the security level is set to “very high.”

It’s uncertain at this point if a new Java Zero Day is at play here. However, it’s clear that signing a malicious application with a valid digital certificate, even a revoked one, can increase the chances for success of a cybercriminal campaign.

Oracle released an out-of-band patch to address the latest Zero Day exploited by cybercriminals.

“Cybercriminals increasingly operate in the same way legitimate businesses do; they look for the quickest and easiest means to a desired end. From Stuxnet and Flame to targeted attacks on Bit9 and Adobe, attacks leveraging digital certificates have accelerated,” said Jeff Hudson, chief executive of enterprise key and certificate management (EKCM) solutions provider Venafi.

In February, Venafi and the Ponemon Institute released a study that shows organizations risk losing $35 million every two years because of attacks on trust.

“Why organizations aren’t taking simple management steps to inventory and replace all sub-standard certificates on their networks is beyond belief,” Hudson said. “This latest Java exploit news is another example of why effective certificate management is critical.”

Leave a Reply

You must be logged in to post a comment.