Suspected malware performs man-in-the-middle attack on secure connections
By Yngve Nysæter Pettersenyngve. Wednesday, May 16, 2012 5:43:42 PM
This is not a browser or SSL issue as such, since the correct certificate warning is given. It looks more like a combination of installing malware or a trojan and social engineering.
Investigating, we found that one of the frequently reported certificates was a self-signed certificate purporting to be from "Thawte", one of the major CA trademarks owned by Symantec, but which was never issued by them.
There are a few legitimate cases where an unknown issuing certificate can be observed, mostly for internet-security software installed locally on the machine, but such certificates always identify the responsible product. That was not the case this time.
The use of the name "Thawte" in the certificate clearly indicates that whoever was responsible did not want to be identified and wanted to rely on a well-known trademark to trick the user into accepting the certificate, which is a clear indication of malicious intentions.
Many factors, such as the number of affected sites, the geographic diversity, and the fact that other computers on the same network did not see the same issue, quickly indicated that the problem was local on the user's machine, probably due to some undetected malware.
Thanks to the detective work of one forum poster, Sam Van den Vonder, and his friend who encountered this problem, a possible sample of the malware was obtained, and forwarded to Symantec and Microsoft for analysis.
Symantec has tentatively determined that the malware is a Trojan.Tatanarg variant, which they have named Trojan.Tatanarg.B. [Update June 3rd, 2012: Symantec have posted another article about this malware]
This trojan family has been used to steal banking information by performing man-in-the-middle (MITM) attacks on the user's secure connections, by presenting a fake certificate, which the user has to accept in order to be attacked through this method.
The MITM attack is staged by hooking into the computer's network drivers, in order to intercept all HTTPS connections to websites, pretending that it is the server, and then establishing a separate connection to the server to which the user was connecting, pretending to be the client. The malware has to present a fake certificate to the client, which the client then shows to the user, because it is not issued by any of the trusted Certificate Authorities in the repository. If the user accepts the certificate, then the malware can, depending on its capabilities, not just listen in on everything the user does on the site, such as which passwords are used, but also can inject actions into the session, such as transferring money out of a bank account.
The probable infection vector is thought to be vulnerabilities in Java and happens when the user visits a site that has been compromised and is used to send malware to its visitors. Many high profile sites, including Amnesty International, have been abused in this manner.
This trojan is probably not the only such malware one out there, we have seen reports of at least one different certificate being used, and there are probably many more in circulation.
If your computer gets infected with such malware, and your antivirus software does not detect it, or is not able to remove it, the best option may to reinstall the OS after backing up all your data.
Once you are on a secure system, you need to change the passwords for all affected accounts and audit the activity there, particularly for online banking. You also need to make sure that you have not permanently accepted any of the fake certificates in the Certificate Manager (Menu>Settings>Preferences>Advanced>Security>Manage Certificates>Approved).
Suggested mitigation steps:
- Disable plug-ins generally, and only enable them for sites where you want to have plug-ins used. Optionally, you can instead use the "Enable plug-in on demand" feature. This reduces the potential for being attacked through plug-ins, since the attacker would have to attack one of the sites for which you have enabled plug-ins. An extra benefit is that you will not see flash ads or unrequested videos on most sites.
- Keep in mind that serious websites do not trigger security warnings. If you encounter security warnings on your online banking site, Google, Facebook, Twitter, Amazon, or other public websites, it is not the browser that is at fault, it is telling you that there is a serious problem somewhere. In such situations, you should never click through the warning, but instead leave the site, and start checking your system for malware. In case you decide to click through the certificate warning dialog anyway, Opera will still not show the site as secure.
[Update June 3rd, 2012: Added link to Symantec article]