A group of researchers at Carnegie Mellon University in collaboration with Facebook, analyzed more than 3 million SSL connections and found strong evidence that at least 0.2% (6845) of them are made using forged Digital Certificates (self-signed certificates), which are not authorized by a legitimate Certification Authority, but which can be accepted as valid certificates for most browsers.
They used Flash Player plugin to enable socket functionality and implement a partial SSL handshake to capture the forged certificates. In general, modern browsers display a warning message (like the one below) when they encounter errors in the SSL certificate validation process, but still allow the users to continue, even with a less secure connection.
Fake SSL connections can argue that the certificate errors are caused by a poorly configured server. According to usability studies, many users ignore SSL certificate errors and thus are vulnerable to the simplest attacks. This means that any hacker can successfully impersonate any website, even for HTTPS connections, to achieve a man-in-the-middle attack, in order to intercept encrypted data transmitted over that connection.
Fake Digital Certificates signed with stolen keys from antivirus
Researchers noticed that the majority of forged SSL certificates use the same name as the original Digital Certificate issuer organizations, such as VeriSign or Comodo.
Some antivirus software such as BitDefender, ESET, BullGuard, Kaspersky Lab, NordNet and DefenderPro, have the ability to intercept and scan SSL connections on the client’s system, in order to protect them from fake SSL connections. These antivirus products generate their own certificates, which replace the self-signed certificates from the attackers.
“One should be wary of professional attackers that might be capable of stealing the private key of the signing certificates from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client).” the reasearchers explained. “Hypothetically, governments could also compel antivirus vendors to hand over their signing keys.”
Similar capabilities were observed in various Firewall and Parental Control software, which could also be compromised by hackers in order to generate valid, but fake Digital Certificates.
Digital Certificates generated by malware
Researchers also noticed another interesting self-signed certificate called “IopFailZeroAccessCreate”, which was generated by some malware on client-end systems and using the same name as the trusted certificate issuer “VeriSign Class 4 Public Primary CA”.
“These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study.” they said.
Detected statistics show that the clients infected with the same malware that is serving the “IopFailZeroAccessCreate” bogus certificates were widespread across 45 different countries, including Mexico, Argentina and United States. Mallware researchers at Facebook, in collaboration with Microsoft Security Essentials team confirmed this suspicion and identified the exact type of malware responsible for this attack.
Detection and attack migration techniques
Attackers may also restrict Flash-based sockets by blocking Flash socket policy traffic on port 843 or can avoid intercepting SSL connections made by Flash Player in order to bypass the detection methods used by researchers. To counter this, websites could serve socket policy files through firwall friendly ports (80 and 443), by multiplexing web traffic and socket policy requests.
In addition, researchers have discussed migration techniques in the paper, such as HTTP Strict Transport Security (HSTS), Public Key Pinning Extension for HTTP (HPKP), TLS Origin-Bound Certificates (TLS-OBC) and Certificate Validation with Notaries and DNS-based Authentication of Named Entities (DANE), which could be used by servers to enforce HTTPS and validate digital certificates.
How to remove mallware
If you are infected with a similar malware, follow these steps:
- Check the hosts file and make sure it doesn’t contain malicious entries
- Check the DNS settings on your system or on the router/modem;
- Check the browser proxy settings;
- Check the add-ons and plugins installed in your browser;
- Install reputed Antivirus and Firewall and scan the system for malicious files.
Source: The Hacker News