Reports say Zeus is back, this time with its own authentic digital certificate. How can I detect a Trojan that...
has such a seemingly real certificate?
The public key infrastructure was designed with several security features in mind that would let an end entity decide their own trust. Namely, the system was made so a digital certificate issued by a certificate authority (CA) could be revoked if the certificate is compromised, or so a certificate authority could also be revoked from issuing certificates.
Netscape made some significant advancements in promoting e-commerce in its Web browser when CA certificates were bundled with Web browsers to support the new SSL protocol. While this action set up the system to trust these CAs by default, one of the biggest issues is that any CA can issue a certificate by any name. So, for example, www.google.com could be signed by a malicious CA and still appear to be the legitimate www.google.com webpage.
The authentic digital certificate used by the Zeus variant was assigned to a legitimate software company by a legitimate CA, but that didn't protect endpoints from being attacked. While the CA revoked the certificate -- which prevented some systems from trusting the signed malware -- most systems did not check revocation for a long list of reasons (for example, it may not be enabled by default in Web browsers, operating systems or other applications) and fell victim to the fraudulent certificates and malware.
Enterprises can detect if seemingly real certificates are compromised by checking certificate revocation for signed software prior to installing the software. An enterprise could also check every file downloaded over HTTP to see if the file is signed by a revoked certificate, and then prevent the download. Alternately, an enterprise could check every file on a local system to see if it is signed by a revoked certificate and then investigate any system that has been identified with a file signed by a revoked certificate.
Learn more about how the Flame malware used fraudulent certificates and more methods for defending against them.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading