NEWS FROM THE LAB - Friday, September 28, 2012

Adobe Cert Used to Sign Malware Posted by Sean @ 11:53 GMT

Adobe's head of product security, Brad Arkin, published a very interesting post on Thursday.

As it turns out, one of Adobe's build servers was compromised and was used to create malicious files with Adobe's digital signature.

Inappropriate Use of Adobe Code Signing Certificate:

Inappropriate Use of Adobe Code Signing Certificate

According to accompanying Security Advisory, there are two "utilities" using three files. The Adobe signed versions are isolated to a single source according to Adobe, and our back end metrics concur. None of the Adobe signed files have been seen within our customer base.

There have been instances of the non-Adobe signed PwDump7.exe, but those are limited. You can probably tell what PwDump7.exe does based on its name, it steals password hashes from Windows OS. An associated file that PwDump7.exe uses is libeay32.dll, which is an OpenSSL library. And there are hundreds of thousands of pings of this (a legitimate clean file) in our back end.

The second malicious file is called myGeeksmail.dll, which Adobe believes to be an ISAPI filter.

There is no non-Adobe signed verison of this file in the wild.

The MD5 hash of myGeeksmail.dll with the Adobe signature removed is: 8EA2420013090077EA875B97D7D1FF07

Adobe will revoke the compromised certificate on October 4, and is currently issuing updates using a new digital certificate.

And on a final note: Perhaps this is a good moment to again recommend @jarnomn's CARO 2010 presentation: It's Signed, therefore it's Clean, right? [PDF] (Make sure to check out slide #25.)