Malware signed with fake Avira Certificate

While analyzing new malware samples we stumbled over a sample which contains a digital Avira signature. Something we need to check! Viewing the properties of the digital signature, Microsoft Windows shows a note “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”. Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate. Stuxnet gained a lot of attention by the media because it contained a valid digital signature from “Realtek Semiconductor” which was obviously stolen by the malware authors.

The certificate used in this malware sample is issued to Avira GmbH and is valid from 2011-02-10 till 2039-31-12.

There is some more information available in the digital certificate:

The malware itself is nothing new. It’s a member of the well known Zbot/ZeuS malware family which is spammed via Email. The Trojan doesn’t show new behavior of the Zbot/ZeuS authors. Upon execution it is creating a copy of itself and is deleting the original executed file; also it adds a runkey to the Windows registry in order to get started after a reboot. After this the Trojan tries to connect to the C&C Server “**ciq.net” to receive more information about targets to spy upon and where to send the information to.

Avira is already protecting customers since VDF Version which detects this piece of malware as TR/Kazy.12258 starting with version 7.11.03.117.

Thomas Wegele
Virus Researcher