March 15, 2012, 8:55 PM — Security firm Kaspersky Lab Thursday said it's identified a malicious program that appears to make use of a compromised Symantec VeriSign digital certificate issued to Conpavi AG, which is known to work with Swiss government agencies. Kaspersky says it has asked Symantec VeriSign to revoke the compromised certificates.
Kaspersky says the malicious program contains what's being called Trojan-Dropper.Win32.Mediyes. A dropper file is a type of malware commonly used by attackers to seed targeted computers in order to easily drop other malware into it in the future for a wide variety of purposes.
SLIDESHOW: A look at China's cyberwar planning
Kaspersky Lab researcher Vyacheslav Zakorzhevsky wrote today in a blog that the malicious DLL Trojan.Win32.Mediyes was detected on the computers of about 5,000 users, mainly in Western Europe, including Germany, Switzerland, Sweden, France and Italy.
The Mediyes malware has been seen between December 2011 and March 7, 2012 and in all the cases it was signed with a certificate issued for the Swiss company Conpavi, according to the Kaspersky Lab researcher.
One main purpose of Trojan.Win32.Mediyes is to help facilitate the interception of web browser requests sent to the Google, Yahoo! And Bing search engines, as the search queries are "used by the criminals to earn money as part of the Search 123 partner program that works on a pay-per-click basis," writes Zakorzhevsky. The attackers seem to working with a server in Germany.
"The malware is clearly aimed at users in Europe," Zakorzhevsky writes. "This is backed up by other evidence - the certificate from a Swiss company, the server in Germany, and only the requests made on major international search engines being intercepted."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.