14 DAY TRIAL // Security researchers from Kaspersky Lab warn that malware dropped by the latest PDF-based attacks is digitally signed with a certificate stolen from a credit union.
The new attacks targeting a zero-day vulnerability in Adobe Reader seems to become more sophisticated by the hour.
One of the exploits uses return-oriented programming (ROP), a relatively new technique aimed at bypassing the ASRL and DEP technologies, which prevent the execution of unauthorized code in Windows Vista and 7.
"More widespread usage of ROP for exploits is something I’ve been expecting for a while. Why? Because Windows 7 is gaining more and more traction in both the consumer and corporate space," Roel Schouwenberg, a senior antivirus researcher at Kaspersky, writes.
But the most interesting aspect of the new attack is the use of malicious files digitally signed with a stolen certificate, a technique made popular by the Stuxnet rootkit discovered back in July.
While Stuxnet used certificates stolen from integrated circuit (IC) manufacturers like Realtek Semiconductor and JMicron Technology, the certificate abused by this new threat belongs to US-based Vantage Credit Union.
There are several advantages to digitally signing malware, especially on Vista and Windows 7, where the User Access Control (UAC) warning prompts for non-digitally signed files contain a lot of threatening text.
Another reason is that 64-bit versions of Windows only accept signed drivers, which means that installing rootkits is impossible on such systems unless their creators go to the trouble of signing them with a valid certificate.
And finally, some antivirus programs use the presence of a valid digital signatures for whitelisting purposes, so in some cases the use of this method can bypass detection.
In this particular case the stolen certificate was issued by Verisign's SSL division, which is now owned by Symantec. "Both Verisign and Vantage Credit Union have been notified so that they can take action," Schouwenberg noted.
"I think the use of valid, stolen certificates to sign malware will really take off in 2011," the security researcher added.