Adobe to revoke crypto key abused to sign malware apps (corrected)

ronjor · #1 September 27th, 2012, 08:19 PM

Quote:

by Dan Goodin

Adobe is revoking a cryptographic key used to confirm the authenticity of its applications after discovering it was compromised by attackers who abused it to validate malicious software.

The "inappropriate use" of the Adobe code signing certificate was pulled off by attackers who compromised a build server used to compile and package the company's applications, Adobe officials said in a statement published on Thursday. The server had access to the Adobe code-signing infrastructure, which forensic investigators have determined was used to sign two samples of malicious software.

http://arstechnica.com/security/2012...-malware-apps/

Hungry Man · #2 September 27th, 2012, 08:27 PM

Wrote about this earlier.

Adobe's response has been top notch when you remember what the typical CA's responses are ie: hiding it.

This was a targeted attack - most users should not worry.

siljaline · #3 September 27th, 2012, 09:41 PM

See also:
http://blogs.adobe.com/asset/2012/09...rtificate.html
http://www.adobe.com/support/securit...apsa12-01.html
http://www.wired.com/threatlevel/201...l-cert-hacked/
http://www.securityweek.com/adobe-re...d-sign-malware

chronomatic · #4 September 28th, 2012, 02:15 AM

So if I am understanding this correctly, Adobe has internal software build servers. Someone cracked into one of those servers, put their own malicious software on there, and then sent it on to be signed by Adobe. Are there not mechanisms in place to check *what* software is being signed? It seems to me that the Adobe signing server just blindly trusts anything that comes from its build server IP addresses. Such an amateur mistake by such a large company.

Here is how it should work: Each Adobe developer should have his/her own key-pair. Once they get ready to send some code to the build server, they sign it first. The build server has a list of those public keys and then checks to make sure it is signed by a valid developer. From there it builds and can be sent on to be signed by the official Adobe key. And the master Adobe signing key should be locked away and air-gapped from the network.

The weak link in this system is the developers themselves having their personal keys stolen. One way to mitigate that is to enforce a policy that the developer's development machine must never touch the network. Or perhaps instead of that they could provide them crypto-sticks where the keys are stored and, thus, cannot be stolen.

But in any case, merely having the signing server blindly sign anything that comes from the build server was a stupid idea.

Hungry Man · #5 September 28th, 2012, 05:05 AM

Quote:

Are there not mechanisms in place to check *what* software is being signed? It seems to me that the Adobe signing server just blindly trusts anything that comes from its build server IP addresses. Such an amateur mistake by such a large company.

The server had been misconfigured - their typical build servers would not have done this.

They're reworking the system to ensure it doesn't happen again.

ComputerSaysNo · #6 September 29th, 2012, 11:51 PM

Rumours say this is how Flame was spread?

Hungry Man · #7 September 30th, 2012, 12:07 AM

Doubt it. Flame was a govt project - don't think they'd go hacking Adobe.

siljaline · #8 September 30th, 2012, 07:19 PM

Flame has little or nothing to do with this thread.

Quote:

Originally Posted by ComputerSaysNo

Rumours say this is how Flame was spread?

ComputerSaysNo · #9 October 3rd, 2012, 03:23 AM

This is pretty bad, really bad if you ask me. If their source code got owned then yikes....

http://www.wired.com/threatlevel/201...l-cert-hacked/

chronomatic · #10 October 3rd, 2012, 04:31 AM

Quote:

Originally Posted by ComputerSaysNo

This is pretty bad, really bad if you ask me. If their source code got owned then yikes....

http://www.wired.com/threatlevel/201...l-cert-hacked/

I hope their source code did get owned and I hope the attackers release it so the FOSS community can fix their software for them.

kjempen · #11 October 4th, 2012, 05:18 AM

Antivirus vendors not covering this threat so well yet...

Check the following files in VirusTotal:

PwDump7.exe
MD5 hash: 130F7543D2360C40F8703D3898AFAC22
MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB

libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

siljaline · #12 October 4th, 2012, 07:39 PM

From Microsoft MMPC.

http://blogs.technet.com/b/mmpc/arch...rtificate.aspx

ComputerSaysNo · #13 October 6th, 2012, 04:32 AM

Quote:

Originally Posted by chronomatic

I hope their source code did get owned and I hope the attackers release it so the FOSS community can fix their software for them.

Yeah but having your keys stolen is actually worse than having your source code taken.

This is really really bad....

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search