The Latest in IT Security

Adobe Cert Used to Sign Malware

28
Sep
2012

Adobe’s head of product security, Brad Arkin, published a very interesting post on Thursday.

As it turns out, one of Adobe’s build servers was compromised and was used to create malicious files with Adobe’s digital signature.

Inappropriate Use of Adobe Code Signing Certificate:

Inappropriate Use of Adobe Code Signing Certificate

According to accompanying Security Advisory, there are two “utilities” using three files. The Adobe signed versions are isolated to a single source according to Adobe, and our back end metrics concur. None of the Adobe signed files have been seen within our customer base.

There have been instances of the non-Adobe signed PwDump7.exe, but those are limited. You can probably tell what PwDump7.exe does based on its name, it steals password hashes from Windows OS. An associated file that PwDump7.exe uses is libeay32.dll, which is an OpenSSL library. And there are hundreds of thousands of pings of this (a legitimate clean file) in our back end.

The second malicious file is called myGeeksmail.dll, which Adobe believes to be an ISAPI filter.

There is no non-Adobe signed verison of this file in the wild.

The MD5 hash of myGeeksmail.dll with the Adobe signature removed is: 8EA2420013090077EA875B97D7D1FF07

Adobe will revoke the compromised certificate on October 4, and is currently issuing updates using a new digital certificate.

And on a final note: Perhaps this is a good moment to again recommend @jarnomn‘s CARO 2010 presentation: It’s Signed, therefore it’s Clean, right? [PDF] (Make sure to check out slide #25.)

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments