alphaspirit - Fotolia

How to detect fraudulent certificates that look real

Malware using seemingly real digital certificates is becoming more prevalent. Expert Nick Lewis discusses how to detect fraudulent certificates.

Reports say Zeus is back, this time with its own authentic digital certificate. How can I detect a Trojan that...

has such a seemingly real certificate?

The public key infrastructure was designed with several security features in mind that would let an end entity decide their own trust. Namely, the system was made so a digital certificate issued by a certificate authority (CA) could be revoked if the certificate is compromised, or so a certificate authority could also be revoked from issuing certificates.

Netscape made some significant advancements in promoting e-commerce in its Web browser when CA certificates were bundled with Web browsers to support the new SSL protocol. While this action set up the system to trust these CAs by default, one of the biggest issues is that any CA can issue a certificate by any name. So, for example, could be signed by a malicious CA and still appear to be the legitimate webpage.

The authentic digital certificate used by the Zeus variant was assigned to a legitimate software company by a legitimate CA, but that didn't protect endpoints from being attacked. While the CA revoked the certificate -- which prevented some systems from trusting the signed malware -- most systems did not check revocation for a long list of reasons (for example, it may not be enabled by default in Web browsers, operating systems or other applications) and fell victim to the fraudulent certificates and malware.

Enterprises can detect if seemingly real certificates are compromised by checking certificate revocation for signed software prior to installing the software. An enterprise could also check every file downloaded over HTTP to see if the file is signed by a revoked certificate, and then prevent the download. Alternately, an enterprise could check every file on a local system to see if it is signed by a revoked certificate and then investigate any system that has been identified with a file signed by a revoked certificate.

Next Steps

Learn more about how the Flame malware used fraudulent certificates and more methods for defending against them.

This was last published in October 2014

Dig Deeper on Emerging cyberattacks and threats