Advertising trojan with Swiss signature
Source: Kaspersky Lab A trojan called Mediyes is currently circulating in Germany. As reported by Kaspersky, the unusual thing about this trojan is that it was signed with a valid private key that belongs to Swiss company Conpavi AG. Conpavi promotes itself as a consultancy firm for e-governance projects, for example for the city of Lucerne.
Kaspersky says that it has sighted several versions of the dropper that were signed by Conpavi between December 2011 and 7 March 2012. This suggests that the criminals had access to the company's private key over a prolonged period of time. The private key was issued by a VeriSign Certificate Authority that is considered trustworthy by most operating systems.
On an infected system, the malware hooks into the browser to invisibly intercept any search engine queries and forward them to the server of an advertising network. Kaspersky says that the server is located in Germany and responds by sending links from the Search123 partner program. Mediyes automatically visits these links to generate revenue for the criminals. The only signed component was the dropper – the 32- and 64-bit payloads were unsigned.
How the criminals managed to sign the malware with the Swiss company's private key remains unclear. Conpavi AG did not comment when The H's associates at heise Security contacted the company by phone this morning (Monday). They were only told that "nobody is available at the moment", and that they should try again in three to four weeks.
Kaspersky has already contacted VeriSign to ensure that the key is invalidated and placed on the revocation list. A crucial factor when invalidating a key is that the correct revocation date must be entered to ensure that certificates which were created with this private key in the past are also invalidated retrospectively.
Mediyes is not an isolated case. Increasingly, anti-virus companies come across malware that is signed with a valid certificate. For example, F-Secure announced last summer that it had identified 24,000 digitally signed malware samples. The most prominent example is the Stuxnet malware that was developed for a targeted attack on a uranium enrichment facility in Iran.