According to a report released by Internet security firm Comodo earlier this morning, a new form of the popular malware strain ZeuS has been spotted, however this time it’s in pretty much the last place you’d expect.
See, the reason researchers have been drawn to this story more than others of late is because unlike most malware, this new bank-based variant of ZeuS is capable of hiding its activities under the guise of a perfectly harmless digital signature that was personally handed down to it by Microsoft. Although it was originally intended for a small third-party developer from Switzerland, the hackers have found a way to hijack the communication process and exploit the delicious data contained within.
By somehow gaining access to the supposedly-secret cryptographic key handed to anyone worthy of the trust certificate, the agents behind the attack are able to use Microsoft’s own verification system against itself, creating permissions and granting new user IDs to anyone who might want to take control of an infected machine from behind a remote server.
“Windows, iOS, Android, and Linux all use code signing to ensure that only legitimate, signed code is installed and executed,” explained Richard Moulds of Thales e-Security, citing the importance of proper code management to prevent these sort of attacks in the future. “Code-signing provides the best mechanism for proving that code hasn’t been modified and therefore is a way of spotting malware infected software and rejecting it. If an attacker can sign their malicious code in a way that passes this validation process they are a huge step further in mounting an attack.”
It’s this ease of execution without any interference thus far that has the Technet team at Microsoft the most concerned, showcasing a talent and level of stealth that none of them even knew was possible until today.
Whatever the outcome of this case of cybercrime, it’s clear that criminals are starting to take cues from the playbooks of state-sponsored malware efforts like Flame and Stuxnet, which both relied on a similar tactic to make their way into the networks of the Iranian uranium enrichment program back in 2012.