Apr 14, 2011 06:24 GMT  ·  By

A recently identified ZeuS trojan sample is digitally signed with a fake certificate whose purpose is to make the piece of malware harder to detect.

According to security experts from Avira who discovered the sample, the digital certificate is signed by an entity called "DetectMe :)" and dates since the end of February.

"We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection [...]," the Avira researchers note.

Although the ability to digitally sign code has been around since Windows NT, the practice has only seen more adoption starting with Vista where the difference between signed and unsigned executables is clearly noticeable in UAC (User Access Control) alerts.

Digitally signed malware, as in malicious programs that actually use a valid certificate signed by a trusted CA, are quite rare because the benefits of doing it are hardly worth the trouble.

Nevertehless, some malware authors do sign their creations with forged certificates from time to time in an attempt to trick less sophisticated file scanners or the users themselves.

ZeuS bot runners in particular seem to be more inclined to do this than others. We have previously reported about Zbot samples that came with forged Kaspersky and Avira digital signatures.

Antivirus programs can whitelist or treat digitally signed files with less suspicion. However, because the Windows root certificate store is seen as unreliable, some use their own mechanisms for tracking certficates.

The infamous Stuxnet industrial espionage worm raised the bar as far as digitally signed malware is concerned. In order to install correctly on 64-bit Windows 7 systems, it's rootkit components were signed with legit digital certificates stolen from hardware manufacturers Realtek and JMicron.