Reports say Zeus is back, this time with its own authentic digital certificate. How can I detect a Trojan that...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
has such a seemingly real certificate?
The public key infrastructure was designed with several security features in mind that would let an end entity decide their own trust. Namely, the system was made so a digital certificate issued by a certificate authority (CA) could be revoked if the certificate is compromised, or so a certificate authority could also be revoked from issuing certificates.
Netscape made some significant advancements in promoting e-commerce in its Web browser when CA certificates were bundled with Web browsers to support the new SSL protocol. While this action set up the system to trust these CAs by default, one of the biggest issues is that any CA can issue a certificate by any name. So, for example, www.google.com could be signed by a malicious CA and still appear to be the legitimate www.google.com webpage.
The authentic digital certificate used by the Zeus variant was assigned to a legitimate software company by a legitimate CA, but that didn't protect endpoints from being attacked. While the CA revoked the certificate -- which prevented some systems from trusting the signed malware -- most systems did not check revocation for a long list of reasons (for example, it may not be enabled by default in Web browsers, operating systems or other applications) and fell victim to the fraudulent certificates and malware.
Enterprises can detect if seemingly real certificates are compromised by checking certificate revocation for signed software prior to installing the software. An enterprise could also check every file downloaded over HTTP to see if the file is signed by a revoked certificate, and then prevent the download. Alternately, an enterprise could check every file on a local system to see if it is signed by a revoked certificate and then investigate any system that has been identified with a file signed by a revoked certificate.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.