GlobalSign revokes cert of rogue security app
Certified malware exposes shortcomings of digital certificates
Customer Success Testimonial: Recovery is Everything
GlobalSign has revoked the digital certificate of a rogue security application, which acquired the veneer of respectability by parading the credentials while trying to scam users.
Antivirus XP 2008, identified as malware by Sunbelt Software and other security firms, was digitally signed by Globalsign. Alerted by The Register on Friday, GlobalSign acted promptly to revoke the certificate, pending an investigation.
In a statement, GlobalSign said that digital code signing only establishes the origin of a piece of software, not whether or not it is malicious.
"Like all CAs [certificate authorities], GlobalSign vets a company within strict guidelines, but we cannot form an opinion on the software they sign with the issued certificate. While we cannot provide a guarantee around the quality of the software, the certificate does provide proof of which company is responsible for the software, and therefore provides traceability to any parties using that software. This traceability allows us to perform an appropriate investigation."
"The concept of code signing certificates from any CA, whoever they are, is designed to provide assurances of origin of the software, but cannot express that it is virus-free, bug-free or malware-free," it added.
XP Antivirus 2008 is a well-known counterfeit antispyware program. Distributed through malware-tainted files, which commonly pose as video codecs, the software generates fake and misleading popup messages in an attempt to scare users into buying the package. The software has been the topic of warnings from the likes of CA (here) and the subject of numerous removal tutorials on the web. There's even a YouTube video (below).
A simple Google search would have revealed something amiss with Antivirus XP 2008. So we can credit GlobalSign ony with moving promptly to nip the problem in the bud. The company told us the steps it took once it was alerted to the misuse of its code signing certificate.
"GlobalSign was made aware of this alleged misuse of a code signing certificate on 15 August at approximately 14:00. The vetting archive was immediately checked to determine what was file for the company LLC AJSBIRI. We were found to have the appropriate company documentation and incorporation documentation needed to vet the origin and existence of a company in line with the practice statement for vetting code signing certificate applicants."
"Within an hour of the reported incident we had attempted to examine the executable. However, the site was no longer live. After an unsuccessful attempt to contact the company by telephone we decided the best course of action in the short term would be to revoke the certificate. The investigation will continue with the company in question to determine why they had potentially been in breach of the subscriber agreement for permitted use of the code signing certificate," it added. ®
Bootnote
A hat tip to Sunbelt for altering us about the appearance of more digitally-signed malware. Previous reported examples of the phenomenon include a certificate from VeriSign for an ActiveX install of 180 Search Assistant, a notorious adware package, that offered "Free Porn Access By 180 Search Tools".
COMMENTS
@ Graham Lockley
If you can really get hold of the Source Code to Vista, I'll gladly check it over for you -- at the usual hourly rate, of course, and subject to a disclaimer and bilateral warranty.
But if they won't show it to you, have you considered that perhaps it might be because there's something in there they don't want you to see?
GlobalSign needs to get its story straight...
According to the article, a GlobalSign statement said:
"Like all CAs [certificate authorities], GlobalSign vets a company within strict guidelines, but we cannot form an opinion on the software they sign with the issued certificate. While we cannot provide a guarantee around the quality of the software, the certificate does provide proof of which company is responsible for the software, and therefore provides traceability to any parties using that software. This traceability allows us to perform an appropriate investigation."
"The concept of code signing certificates from any CA, whoever they are, is designed to provide assurances of origin of the software, but cannot express that it is virus-free, bug-free or malware-free," it added.
Whilst this is, of course, entirely true -- valid signatures only "prove" that the item is signed by a "known entity" -- GlobalSign's web site suggests in several places, and at least once even outright claims something else, something more. For example:
https://www.globalsign.com/company/press/070207_code-signing.htm
"On the consumer side, ObjectSign gives those buying and downloading from the Web the confidence to acquire new software without the fear of potentially installing malware. The new security precautions also allow consumers to see where software originates and that the vendors are legitimate – on an ongoing basis this means that updates and new drivers can be seamlessly downloaded without undue delay, giving users free reign to maximise usage of their operating system and applications."
Old story -- marketing should actually talk to the tech folk so they know WTF gives.
Also, according to The Reg GlobalSign says that the LLC AJSBIRI cert has been revoked (several days ago now), yet my Windows Vista machine says that a .DLL signed with the cert Sunbelt reported to GlobalSign (same serial number per the screen shots in the Sunbelt blog entry) is still valid ("This certificate is OK." on the Certification Path tab). GlobalSign runs a CRL and OCSP so this Vista machine should be telling me that the cert is invalid/revoked (I don't know if Vista does CRL for GlobalSign certs -- anyone??).
So, can anyone actually confirm that GlobalSign has revoked this cert, or does it just claim to have revoked it?
re: I See (By Peter)
"Don't trust Global Sign, they can't vet for sh*t ,"
Now, now -- "GlobalSign vets a company within strict guidelines" according to their own statement. If you dig around their web site a bit you find a document describing this strenuous process, but loosely for a code-signing cert (which is at issue here) it involves filling in a form and sending them copies of your national ID card (or similar for non-EU folk -- drivers license maybe??, passport), business registration papers and such.
Ohh, and of course, paying the fee...
"Simple enough, trust Verisign, the money saved just came back to cost you."
That would be the same VeriSign that issued TWO -- not one, but two -- bogus Microsoft certs DESPITE having extra special additional procedures in place as part of its issuing process for any certs in Microsoft's name?
Yeah, those VeriSign folk REALLY know how to vet!
One has to wonder how come, after that, MS kept their certificate business with VeriSign and did not revoke VeriSign's status as a default root CA the following Patch Tuesday... They certainly deserved worse for that lapse...
And although I don't have the data readily at hand, I seem to recall there have been previous instances of signed malware using valid VeriSign certs, so I don't think I'll be taking your advice...
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
