How nice of VeriSign to digitally sign a backdoor trojan/rootkit.
suzi | Homepage | 02.13.08 - 6:15 pm | #

yup...
Alex eckelberry | 02.13.08 - 6:26 pm | #

Any exploits?
Mark | 02.13.08 - 8:26 pm | #

No exploits Mark . . . Just a little bit of old fashioned trickery.

Of course, things could change, so one should always exercise caution when investigating anything malicious.
Adam | Homepage | 02.13.08 - 9:34 pm | #

There's nothing in the report that suggests that the certificate was issued by Verisign.

In any case, even if Verisign did issue a personal certificate to "Jeanette K. Murphy" it probably wasn't Verisign that signed the code: it was Murphy. A signature says who certifies the code; it says nothing about the quality of that code.

Unless I've missed something, the only reference to Verisign is the timestamp countersignature; this is done by a free service provided to the industry by Verisign. I can (and do) use that service to timestamp the signing of software with certifictes issued by my own organization.

What would be more interesting would have been a display of the certificate chain (on the tab titled "Certification path", showing why this certificate is being described as "OK".
Joe | 02.14.08 - 6:48 am | #

I have the same questions as Joe. Is Murphy's cert actually issued by VeriSign or is that a phony? If it's issued have you reported this to VeriSign, which you can do at this page http://www.verisign.com/support/...suse/ index.html ?
Larry Seltzer | Homepage | 02.14.08 - 10:34 am | #

It isn't signed by Verisign. The code signature is time-stamped by Verisign - that simply says "this piece of binary data existed at this time".
The code-signing signature is issued by UTN-USERFirst-Object - which appears to be part of the UserTrust Network from Comodo. http://www.comodo.com/news/press...s/ 24_01_08.html Apparently the goal here is to give website users a personal "code-signing" certificate so they can use it to sign some kind of statement of quality/trust of websites, so that aggregated data can be used to declare which sites are more trusted by their users.
Obviously, since these user certs are free, that's going to be open to abuse like this. I'd guess the spammer has a few hundred of these certificates to sign ActiveX controls with.
Maybe it's time to untrust UserTrust?
Alun Jones | Homepage | 02.14.08 - 12:04 pm | #

I'm going to follow up on this, although it may not be for a while.
Larry Seltzer | Homepage | 02.14.08 - 12:16 pm | #

Certainly UserTrust should have no more significance that described by Alun "this piece of binary data existed at this time".

This cert was issued on March 14, 2007. So was it a stolen code signing certificate, lifted via a trojan? Has anyone contacted Jeanette ? The address looks like a real person, although perhaps her identity was used last year to get the cert.
Moike | 02.14.08 - 12:18 pm | #

Or, just buy a Mac and stop worrying about st00pid Windoze virii... :P

Piko
Piko | 02.14.08 - 3:50 pm | #

I did send this to Comodo, no real answer yet. They are the root CA as far as I can see.
Alex eckelberry | 02.14.08 - 4:08 pm | #

Comodo Group has since removed certificates from their free offerings.
Gerard Dunphy | 02.15.08 - 10:52 am | #

About Alun Jones's comment about the UserTrust/Comodo cert, it seems you are saying that their free certs can be used for code signing. I can't find anything on their site about that. (I also can't find any contact info there to ask anyone.)

Can you tell me how you know this?
Larry Seltzer | Homepage | 02.15.08 - 12:17 pm | #

Gerard - "since"? Meaning since yesterday?
Larry Seltzer | Homepage | 02.15.08 - 12:32 pm | #