September 27, 2012, 8:33 PM — Adobe plans to revoke a code-signing certificate after hackers compromised one of the company's internal servers and used it to digitally sign two malicious utilities.
"We received the malicious utilities in the late evening of Sept. 12 from a single, isolated (unnamed) source," Wiebke Lips, senior manager of corporate communications at Adobe, said Thursday via email. "As soon as the validity of the signatures was confirmed, we immediately initiated steps to deactivate and revoke the certificate used to generate the signatures."
One of the malicious utilities was a digitally signed copy of Pwdump7 version 7.1, a publicly available Windows account password extraction tool that also included a signed copy of the libeay32.dll OpenSSL library.
The second utility was an ISAPI filter called myGeeksmail.dll. ISAPI filters can be installed in IIS or Apache for Windows Web servers in order to intercept and modify HTTP streams.
The two rogue tools could be used on a machine after it was compromised and would likely pass a scan by security software since their digital signatures would appear legitimate coming from Adobe.
"Some antivirus solutions don't scan files signed with valid digital certificates coming from trustworthy software makers such as Microsoft or Adobe," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender. "This would give the attackers a huge advantage: Even if these files were heuristically detected by the locally installed AV, they would be skipped by default from scanning, which dramatically enhances the attackers' chance of exploiting the system."
Adobe believes "the vast majority of users are not at risk" because tools like the ones that were signed are normally used during "highly targeted attacks," not widespread ones, he wrote.
However, Botezatu couldn't say if any of these files were actively detected on computers protected by the company's products. "It's too early to tell, and we don't have sufficient data yet," he said.
"At the moment, we have flagged all the received samples as malicious and we continue monitoring their geographical distribution," Botezatu said.
Adobe traced back the compromise to an internal "build server" that had access to its code-signing infrastructure. "Our investigation is still ongoing, but at this time, it appears that the impacted build server was first compromised in late July," Lips said.
"To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server," Arkin said. "We also have forensic evidence linking the build server to the signing of the malicious utilities."