15 Mar Mediyes – the dropper with a valid signature Vyacheslav Zakorzhevsky
10 Feb When Certificate Authority Business Models and Vendor Certificate Policies Clash Kurt Baumgartner
04 Nov Regaining Trust in the PKI Kurt Baumgartner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Post was updated 19.03.2012 (see below)
In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively.
Numerous dropper files have been identified that were signed on various dates between December 2011 and 7 March 2012. In all those cases a certificate was used that was issued for the Swiss company Conpavi AG. The company is known to work with Swiss government agencies such as municipalities and cantons.
Information about the Trojan-Dropper.Win32.Mediyes digital signature
A very important “internet trust” discussion is underway that has been hidden behind closed doors for years and in part, still is. While the Comodo , Diginotar, and Verisign Certificate Authority breaches forced discussion and action into the open, this time, this “dissolution of trust” discussion trigger seems to have been volunteered by Trustwave's policy clarification, and followup discussions on Mozilla's bugzilla tracking and mozilla.dev.security.policy .
The issue at hand is the willful issuance of subordinate CAs from trusted roots for 'managing encrypted traffic', used for MitM eavesdropping, or wiretapping, of SSL/TLS encrypted communications. In other words, individuals attempting to communicate over twitter, gmail, facebook, their banking website, and other sensitive sites with their browser may have their secure communications unknowingly sniffed - even their browser or applications are fooled. An active marketplace of hardware devices has been developed and built up around tapping these communications. In certain lawful situations, this may be argued as legitimate, as with certain known DLP solutions within corporations. But even then, there are other ways for corporate organizations to implement DLP. Why even have CA's if their trust is so easily co-opted? And the arbitrary issuance of these certificates without proper oversight or auditing in light of browser (and other software implemented in many servers and on desktops, like NSS ) vendor policies is at the heart of the matter. Should browser, OS and server software vendors continue to extend trust to these Certificate Authorities when the CA’s activities conflict with the software vendors’ CA policies?
The SSL PKI has been in use and implemented for 15 years now to secure online communications. From its initial proprosals and immediate growth, the need for secured online communications has been met with challenges. The infrastructure and protocol itself is showing signs of wear, with multiple attacks and corrections to the scheme itself. And in its 15th year, an alternative to the Cerificate Authority infrastructure is finally being given some competition with the release and debate around Convergence, an open source alternative to the current system of Certificate Authorities. Feel free to right click and download for the full sized version; the graphic below provides a list of some of the major events for SSL/TLS PKI in the past 15 years.