Reports say Zeus is back, this time with its own authentic digital certificate. How can I detect a Trojan that...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
has such a seemingly real certificate?
The public key infrastructure was designed with several security features in mind that would let an end entity decide their own trust. Namely, the system was made so a digital certificate issued by a certificate authority (CA) could be revoked if the certificate is compromised, or so a certificate authority could also be revoked from issuing certificates.
Netscape made some significant advancements in promoting e-commerce in its Web browser when CA certificates were bundled with Web browsers to support the new SSL protocol. While this action set up the system to trust these CAs by default, one of the biggest issues is that any CA can issue a certificate by any name. So, for example, www.google.com could be signed by a malicious CA and still appear to be the legitimate www.google.com webpage.
The authentic digital certificate used by the Zeus variant was assigned to a legitimate software company by a legitimate CA, but that didn't protect endpoints from being attacked. While the CA revoked the certificate -- which prevented some systems from trusting the signed malware -- most systems did not check revocation for a long list of reasons (for example, it may not be enabled by default in Web browsers, operating systems or other applications) and fell victim to the fraudulent certificates and malware.
Enterprises can detect if seemingly real certificates are compromised by checking certificate revocation for signed software prior to installing the software. An enterprise could also check every file downloaded over HTTP to see if the file is signed by a revoked certificate, and then prevent the download. Alternately, an enterprise could check every file on a local system to see if it is signed by a revoked certificate and then investigate any system that has been identified with a file signed by a revoked certificate.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
The CIA Vault 7 cache exposed the Brutal Kangaroo USB malware, which can be spread to computers without an internet connection. Learn how this is ...continue reading
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.