Mediyes malware is a wolf in sheep's clothing, an expert says

Mar 17, 2012 11:37 GMT  ·  By

Kaspersky Lab experts came across pieces of malware that were validated by a legitimate digital certificate issued by Symantec's VeriSign for a Swiss company called Conpavi AG, known for working with government agencies from Switzerland.

Identified by Kaspersky as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes, depending on the variant, the dropper files were signed somewhere between December 2011 and March 7, 2012.

Mediyes has infected the computers of around 5,000 users, most of them from Western Europe, which would explain why the stolen certificate is from a Swiss company and its command and control server is located in Germany.

So how does this malware operate?

The 32-bit variant dropper comes with its own driver which it places into the system’s driver directory, after which, the malicious element deletes itself. Even though the driver is not signed, this doesn’t prevent it from working on 32-bit Windows operating systems.

This driver, detected as Rootkit.Win32.Mediyes, has two main functions: to inject a DLL (Trojan.Win32.Mediyes) into a web browser process, and to hide Mediyes’ presence.

By infecting the browser, the crooks can alter all the Google, Yahoo! and Bing search requests and replace them with their own. A pay-per-click partner program called Search 123 ensures that the cybercriminals make a certain amount of money for each search performed by the user.

The worst part is that the Search 123 results are clicked automatically without user interaction, making everything harder to detect.

Anyone can agree that the Mediyes Trojan is dangerous, but what about that stolen certificate?

Jeff Hudson, CEO of Venafi, a market leader of Enterprise Key and Certificate Management (EKCM) solutions, believes that the stolen certificate should represent a major concern.

“The Trojan-Dropper.Win32.Mediyes malware is a wolf in sheep's clothing and in this case the clothing has the VeriSign brand sewn in the label. Kaspersky's researcher has done an excellent job of finding the wolf, but more needs to be said about the primary culprit -- the stolen digital certificate,” Hudson said.

“The world’s Fortune-ranked organizations and government agencies utilize thousands and even tens of thousands of certificates and keys—in the data center, private clods and increasingly on mobile devices—to protect data and authenticate systems.

“They’re nearly ubiquitous, yet receive little attention or management oversight and therefore can post tremendous risks.”

He also offers some advice for organizations and consumers who want to ensure that they are protected against this type of malware. Here are his tips:

1.If your organization relies on digital certificates to securely run its business, make sure you are prepared to immediately revoke and replace breached certificates and encryption keys in instances like these in order to mitigate the threat of malware using them for authentication;

2.If you're organization relies on digital certificates to protect data and secure mission-critical systems, make sure you have an accurate, real-time and automated platform in place that assesses and inventories your deployed certificates;

3.If your organization relies on a CA to issue your certificates, be certain you have a recovery plan in case of compromise that allows you to immediately revoke and then re-issue any that have been affected;

4.If your organizations' employees browse the Internet while connected to your network, make sure you have safeguards in place that stop them from visiting sites with questionable certificates;

5.If you are an individual user, never visit a website if you receive a warning that the digital certificate is revoked, expired or otherwise in question.