Ambitious malware variant signed with fake digital signature

New Zeus variants and spam campaigns that try to spread them far and wide are almost a daily occurrence, but once in a while some get more attention by security researchers than others.

This latest one has been singled out by Avira’s researcher simply because the malware variant has been signed with a digital certificate issued to the company – or so it may seem at first glance.

Upon closer inspection, one can notice that something is wrong:

“Microsoft Windows shows a note ‘A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider’,” points out the researcher. “Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate.”

This is not the first time that a Zeus variant has been discovered hiding behind a seemingly legitimate digital certificate – last time, Zeus peddlers used the digital signature for a Kaspersky tool designed to clean computers from precisely that Trojan family.