On Tuesday, researchers at Kaspersky Lab reported that a sample from the Destover family of malware – the same family used to attack Sony Pictures – was signed by a stolen Sony certificate. As it turns out, the sample was part of a joke between researchers.
Kaspersky said they discovered the signed Destover sample a few days ago.
It matches a previously known variant of the malware, but the latest version includes a digital signature. The signature was added on December 5, and comes from a stolen, but valid, Sony Pictures certificate.
From Kaspersky's report:
"The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies."
As mentioned by Kaspersky, the sample was signed around the time the group claiming responsibility for the Sony Pictures breach leaked more than 11,000 files related to IT operations. Within the batch of leaked files are hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates – many of them with the required passphrase stored alongside.
On Tuesday evening, Colin Keigher, a security researcher based in Vancouver, BC, took to Twitter and added some additional details to this story.
According to his version of events, a security researcher found the certificate in the leaked documents and discovered that its password was the filename.
For a bit of irony, the certificate was used to sign a variant of Destover. The newly signed sample was then uploaded to Virus Total, where Kaspersky later discovered it. At the time the joke was planned, no one thought that the sample's discovery would turn into a news event, or get any attention at all.
[Update: The sample signed by the researcher was obtained from Malwr. Virus Total was used, as it was thought to be was the quickest way for the certificate to be noticed outside of the CA.]
After the certificate was used for the joke, the researcher reported the certificate to Comodo and DigiCert (the CAs). The cert was revoked on December 7.
Chat transcripts, and conversations with those familiar with the incident support Keigher's claims.
Salted Hash was able to locate the exact certificate (spe_csc.pfx) among the leaked IT files, and the password used to verify it was indeed the certificate's name (spe_csc). The certificate was one of hundreds leaked last week, buried alongside other PFX files in the USERS folder.
Kaspersky's "discovery" fueled a number of articles in the news, and led to a wave of statements and opinions from vendors looking to be part of the news cycle.
Almost all of them focused on the fact that criminals use stolen certificates as a means to propagate malware during an attack, but none of them focused on the larger story:
Sony still hasn't revoked the compromised certificates.
It's been more than two weeks now since Sony's security nightmare was made public knowledge. Certificate revocation should have been one of the first things to happen, especially on certificates related to projects and business critical applications.
Yet, the certificate used to sign the variant of Destover was part of an employee's project requirements. If that certificate was valid a week after the breach became known, it's a safe bet the others were too.