14 DAY TRIAL // Currently, HP, a computer and software maker company that recently announced a split of its business, is notifying its customers about revocation of a digital certificate that has been used for signing malware, security blogger Brian Krebs has learned.
The company received an alert from Symantec, who also decided to divide into two separate businesses , about a four-year-old Trojan signed by the company by mistake.
Malware was inadvertently included in the software signing process
It appears that the threat infiltrated the computer of an HP developer and renamed itself to look inconspicuous; the new file name used by the Trojan was that of a tool used by the company for software testing.
From this to receiving a valid signature was just a small step because the company included the malicious file in a piece of software that was signed with HP’s digital certificate.
In a conversation with Krebs, Brett Wahlin, HP’s global CISO (chief information security officer), said that the software package never made it to customers.
Symantec discovered the signed threat outside HP’s network. Upon investigating the malware, it was discovered that the malicious file included the ability to copy itself back to the point of origin.
Code signing is used by developers to ensure that the integrity of the file installed by the user has not been compromised and is exactly as the developer intended it to be. Basically, the procedure verifies that a program is genuine and it has not been tampered with.
Revoking the certificate has consequences
After revoking the certificate (it expired a few years ago) used for signing the malicious code, HP has to use another one to validate all software that is already in use.
Verisign, the certificate authority used by HP, will officially revoke the digital certificate on October 21. From that date on, any user trying to install drivers from old media kits will be prompted for intervention through a Windows alert triggered by the invalid signature.
The trouble is that HP used the certificate to sign numerous software packages for hardware and drivers
To prevent this, the new certificate has to be available to Windows in order to recognize software it signed.
Important to note is that even a digital signature is provided for a package, this does not ensure that no harmful code is available. Recently, a signed variant of CryptoWall ransomware has been found to be delivered through a malvertising campaign.