Microsoft has already announced it will be blocking files that use digital certificates signed with the SHA-1 algorithm from around June this year. Cybercriminals are adapting fast by making malware that uses multiple digital certificates to avoid being detected. Here's what you need to know.
Trojan virus image from Shutterstock
SHA-1 has been deemed insecure due to a number of attacks that use the algorithm. As such, the IT industry is gradually moving away from SHA-1 and onto SHA-2 transport layer security (TLS) certificates. Microsoft has already started blocking SHA-1 in some scenarios so malware authors have to think fast to ensure their products can bypass these restrictions.
Security vendor Symantec has found that cybercriminals are creating malware that use SHA-1 and SHA-2 digitally signed certificates. One of these malware is Trojan.Carberp.B that uses two stolen digital certificates to evade detection.
According to the Symantec research team:
Malware authors have realised the advantages in signing their malware with not just one, but two digital certificates. One benefit is that multiple digital signatures make files seem more legitimate. A second, and perhaps more crucial benefit, is that files signed with multiple digital certificates maintain their signed state even after one of the signatures has been revoked.
By using both SHA-1 and SHA-2, attackers can also ensure their malware targets a wider variety of operating systems. SHA-1 certificates are compatible with older operating systems while SHA-2 digital signatures are not.
To avoid falling victim to this new form of attack, as always, remember to exercise caution when dealing with suspicious emails. Also, check all certificates that are attached to a file to ensure they are legitimate.
[Via Symantec Security Blog]