Stolen government of Malaysia certificate used to sign malicious fake Adobe software update

Security researcher Mikko Hypponen reports finding a piece of malicious software that was cryptographically signed by a forged Adobe certificate originating with Government of Malaysia: Malaysian Agricultural Research and Development Institute, whose signing certificate was "stolen quite some time ago."

There are several hundred parties that are trusted by OSes, browsers and software to issue certificates, from Verisign to many national governments. A computer receiving a software update signed by a forged certificate will not be able to tell that there's anything funny about the update, but installing such an update could result in a thoroughly compromised computer.

I've been hearing persistent reports of this from security researcher friends, including reports of signed malware that can take over mobile phones and computers, compromising them so that their cameras and mics can be operated covertly, their keystrokes logged, their files plundered, etc. And the worst thing is, if you don't install updates, you can end up with security vulnerabilities that leave your computer liable to takeover by malware that does just the same thing.

Malware Signed With a Governmental Signing Key (via Schneier)


  1. It is not surprising to see this related to a fake Adobe update. Adobe and Skype have recently been the favorite targets of phishers. 

  2. I would say that the vast majority of users get those messages asking about certificates and, “Do you trust this certificate?” etc. and just click through in a, “yea yea whatever sure” mentality – just like they do with EULAs.

    1.  Well, the reason for that is that they have absolutely no way to verify that the certificate can be trusted. Many times I’ve had this issue on our corporate network only to be told “yea yea we forgot to pay the bill, don’t worry about that”. If the default action is to say no, what are the ramifications of that?

      1. I’ve run into that waaay too many times, and it trains users to not have any suspicion at all.  It’s pretty infuriating.

  3. Of course I read this 20 minutes after my daughter dutifully checked with me before downloading the Adobe update that popped up on her screen.

  4. does this indict a member of the government of malaysia or adobe ?
    or is it yet another case of 24 hr sensationalism?

    i love my photoshop 5 and illustrator 7, which still work very well in vista and acrobat’s free pdf’s and quicktime but they piss me off when they jump into my msconfig and add start up crap with every update.

    still, i find them galaxies away from hp and apple in proprietary incursions and so i question their involvement in this, if it is, fascist crappola.

    boing boing needs to support OCCUPY by publishing the whole truth or state it as such.

    p.t. barnum needs to be continually spin in his grave.

    my opinion, not boing boing’s.

  5. Check this out–revocation lists (the method of getting rid of compromised certificates) are generally OS wide, except for a couple of vendors.  I’m looking at YOU, Adobe!  Yes, not only do you need an OS update to revoke compromised certs, you need application specific updates as well.

  6. adobe is a company…. Not a piece of software… Anyone have information as to what product(s) this effects?
    My money says it’s Reader. Adobe’s Reader is one of the worst pieces of bug ridden, malware inserting, bloatware on the market. I would not install it on one of my machines.
    However, due to handing out Adobe Acrobat Pro to any government or school stupid enough to use it, using Adobe Acrobat/Reader products has become pretty much a requirement in many businesses. Even if your business doesn’t play the Adobe game, your clients will inevitably send you a PDF that can only be read by an Adobe product due to Adobe adding unneeded functionality to Acrobat for that very purpose.
    One more thought. Why are governments considered trusted signing authorities? They have political agendas that directly conflict with the basic idea of a trusted signer. That’s the same as thinking your government has your best interests at heart.

Comments are closed.