14 DAY TRIAL // Security researchers warn of a new trojan, which is distributed via tax-related spam and is particularly designed to steal digital certificates from infected computers.
The new threat, detected by Symantec as Infostealer.Nimkey, arrives on systems as files called irs-pdf-f941.irs.com, report6.com or details.com.
The use of .com, a rare type of executable file, is clearly a social engineering trick exploiting people's familiarity with the .com domain extension.
When the trojan installer is executed, it opens a browser window to http://www.irs.gov/pub/irs-pdf/f941.pdf (Form 941 for 2010: Employer's QUARTERLY Federal Tax Return), in order to distract the user's attention from what goes on in the background.
The malware connects to servers in Poland, Moldova or Bosnia and downloads additional components called alg.exe, AcroIEHelper.dll, ChilkatCert_NT4.dll and extract_cert.exe, which it drops inside the C:\WINDOWS\inf folder.
The AcroIEHelper.dll registers itself as an Internet Explorer browser object, logs all accessed URLs and sends the data to a server in China.
On the other hand, the alg.exe component searches for files matching the Cert_*.p12 pattern, which are PKCS#12 digital certificates.
The private keys contained within this type of certificates, can be used to sign files, but they are protected with a passphrase.
Because of this, the trojan also features a keylogger, which captures all keystrokes and clipboard data and sends it home to the hackers via HTTP.
"This threat has everything required to steal private key information. Anyone who possesses this information can then digitally sign their own files with the signature of a trusted software vendor," Fergal Ladley, a malware researcher at Symantec, notes.
"As more threats steal digital certificate private keys, we are likely going to see more and more signed malware, which is unfortunately going to make digital signatures less reliable," he concludes.
Digitally signed malware was a rare occurrence until the notorious Stuxnet worm was discovered this summer. Since then the technique has also been picked up by other threats.