Malware authors are keeping pace with recent CA changes

Mar 24, 2016 15:18 GMT  ·  By
Malware now comes with dual certificates to account for a shift from SHA1 to SHA2
2 photos
   Malware now comes with dual certificates to account for a shift from SHA1 to SHA2

The impending doom of all SHA1 certificates is also having an impact on the malware scene, not just legitimate website owners and software vendors.

In a recent report, cyber-security vendor Symantec reveals that it discovered a malware family that came signed by not one, but two digital certificates, one with an SHA1 signature, and a second, a backup certificate, with an SHA2 signature.

This specific malware was the Carberp financial trojan, detected in a recent spam campaign targeting users in Denmark, Sweden, Israel, Ethiopia, and the US.

As the security researchers explain, the trojan was one of the first instances they saw where malware came signed by dual certificates to account for the recent shift in the tech sector to SHA2 after SHA1 was declared unsafe last fall.

Expect more malware signed with dual SHA1 & SHA2 certificates

The technical reasons for signing their malware with SHA2 are evident. Most software vendors, and especially Microsoft, whose products most malware targets, have announced plans to discontinue support for new SHA1-signed certificates starting January 1, 2016. Future plans will include removal of support for SHA1 in its entirety.

Having an SHA2 backup certificate allows the malware to fall back on a safety net in case the SHA1 certificate triggers validation errors. SHA1 won't likely be removed from current-day malware since it allows attackers to target older operating systems where SHA1 is the main digital cert-signing mechanism, where SHA2 is not supported, and where most of the juicy, unpatched vulnerabilities still exist.

The funny thing is that while malware operators have already implemented fallback systems, some legitimate site operators are having problems and are seriously lagging behind with SHA2 migration.

Just last month, Mozilla had to issue a temporary pass to a Symantec client who needed nine new SHA1 certificates issued in his name, even if the deadline passed and the company should have already been well on its way into running SHA2.

Malware sample signed with SHA1 and SHA2 certs
Malware sample signed with SHA1 and SHA2 certs

Photo Gallery (2 Images)

Malware now comes with dual certificates to account for a shift from SHA1 to SHA2
Malware sample signed with SHA1 and SHA2 certs
Open gallery