Reports say Zeus is back, this time with its own authentic digital certificate. How can I detect a Trojan that...
has such a seemingly real certificate?
The public key infrastructure was designed with several security features in mind that would let an end entity decide their own trust. Namely, the system was made so a digital certificate issued by a certificate authority (CA) could be revoked if the certificate is compromised, or so a certificate authority could also be revoked from issuing certificates.
Netscape made some significant advancements in promoting e-commerce in its Web browser when CA certificates were bundled with Web browsers to support the new SSL protocol. While this action set up the system to trust these CAs by default, one of the biggest issues is that any CA can issue a certificate by any name. So, for example, www.google.com could be signed by a malicious CA and still appear to be the legitimate www.google.com webpage.
The authentic digital certificate used by the Zeus variant was assigned to a legitimate software company by a legitimate CA, but that didn't protect endpoints from being attacked. While the CA revoked the certificate -- which prevented some systems from trusting the signed malware -- most systems did not check revocation for a long list of reasons (for example, it may not be enabled by default in Web browsers, operating systems or other applications) and fell victim to the fraudulent certificates and malware.
Enterprises can detect if seemingly real certificates are compromised by checking certificate revocation for signed software prior to installing the software. An enterprise could also check every file downloaded over HTTP to see if the file is signed by a revoked certificate, and then prevent the download. Alternately, an enterprise could check every file on a local system to see if it is signed by a revoked certificate and then investigate any system that has been identified with a file signed by a revoked certificate.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.