Stolen government certificate signed malware
A governmental digital certificate has been used to sign malware. According to a report by F-Secure, the certificate was used to sign a piece of malware which has been spread through malicious PDF files, dropped after an Acrobat Reader 8 exploit had taken place. It has been signed by "anjungnet.mardi.gov.my" – mardi.gov.my is the Malaysian Agricultural Research and Development Institute. To steal a certificate capable of signing, an attacker would need not just the certificate but also a passphrase; this could have been stolen by use of a key-logger.
The Malaysian authorities told F-Secure that the certificate had been stolen "quite some time ago"; it was valid from 29 September 2009 to 29 September 2011 and has therefore now expired, removing the advantage gained by the malware in being digitally signed in the first place – unsigned applications produce a warning when the user downloads them from the web, but valid signed applications do not. However, it is still very rare to find malware signed with a key that officially belongs to a government.
(djwm)