Newly Found ZeuS Sample Signed with Fake Avira Certificate

Security researchers warn that a newly identified ZeuS sample is signed with a fake digital certificate allegedly issued to German antivirus vendor Avira.

Code signing has been possible since the days of Windows NT, however, adoption of the technology was slow until Windows Vista and Windows 7, where UAC (User Access Control) alerts look significantly different for signed and unsigned executables.

Today it is common practice to sign installers as a method to verify they haven't been tampered with, as any modification made to the code would break the original signature.

Digitally signed malware is a relatively rare occurrence because there are few options for malware authors to do it properly and it generally isn't worth the trouble.

One way is to steal a private digital key from a company and use it to sign the malicious code. This technique was used by the Stuxnet industrial sabotage worm to install a rootkit component on 64-bit versions of Windows.

Since rootkits function as drivers and 64-bit versions of Windows don't load unsigned drivers, signing the rootkit with a valid certificate was necessary.

However, the new ZeuS sample does not have a valid signature. "Viewing the properties of the digital signature, Microsoft Windows shows a note 'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'

"Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate," Avira researchers note.

The certificate used to sign the sample was generated on February 10 and purports to be issued by VeriSign. However, the error message means that it doesn't match VeriSign's root certificate included in Windows, a clear sign that it's a fake.

This is not the first ZeuS sample to forge the digital signature of an antivirus vendor. Back in August, we reported about a variant which purported to be signed by Kaspersky Lab.