Zbot Authors Forge Kaspersky Digital Signature

Security researchers warn that multiple recent Zbot variants are using a forged digital signature in an attempt to bypass antivurs detection. Ironically the digital signature was copied from a ZeuS removal tool developed by Kaspersky Lab.

Code signing has been around since Windows NT, but the practice has seen a wider adoption starting with Vista and Windows 7. For example, 64-bit flavors of this Windows versions don't even accept unsigned drivers, while their 32-bit variant display warnings that require user interaction. Furthermore, the UAC (User Access Control) alerts are significantly different for signed and unsigned executables.

There have been isolated cases of digitally-signed malware before, but the practice never really took off, primarily because malware authors believed the effort doesn't justify the benefits. That perception changed recently with a new highly sophisticated threat called Stuxnet, which stands proof that digitally signing malicious code can be used to increase stealthiness.

Judging by a report from Trend Micro, more malware authors are adopting the technique. “While conducting continuous threat-monitoring activities, Trend Micro threat researchers identified multiple suspicious files that included a strange digital signature. This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky,” the antivirus vendor warns.

The malicious files correspond to three different variants of the ZeuS (Zbot) trojan, detected by Trend as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM and TROJ_ZBOT.KJT. The signature was only copied from the original file, a Kaspersky anti-ZeuS tool called “ZbotKiller” and attached to the malicious samples. This means that the hash will not match and Windows will not be fouled by the forgery.

However, there are other benefits to using such a trick. Since signed malware is such a rare occurrence, some antivirus products are actually using the presence of a digital signature on an executable as a cue to avoid a possible false positive detection. “This seems to be a growing trend among cybercriminals […]. It is likely that we will continue to see more such incidents in the future,” the Trend researchers warn.

You can follow the editor on Twitter @lconstantin