After WannaCry ransomware shook the security world, a new kind of Trojan called CertLock started compromising security worldwide. This Trojan blocks reputed security programs from installing on infected Windows machines. To achieve this, the Trojan blocks the security vendor’s digital certificate. Then, when users attempt to run the affected programs, they are met with an alert stating the publisher of the software has been blocked due to an untrusted certificate. While CertLock is affecting AVAST most, vendors like AVG, BitDefender, ESET, Kaspersky and Symantec have also felt the burn.
Many security vendors are currently flagging CertLock as a generic Trojan or Wdfload. It is being distributed through unwanted program bundles and functions – the ones attached to free software downloads – as a protection software. Once this bundle is installed, CertLock blocks the security vendor’s certificate by adding its thumbprint to a specific Windows registry key (HKLM/SOFTWARE/Microsoft/SystemCertificates/Disallowed/Certificates/), disabling any program signed with that certificate, even if it is already installed.
X.509 Certificates – A double-edged sword
Traditionally, enterprises and consumers use X.509 certificates to enable the security applications that make up public key infrastructures. A X.509 (or “identity”) certificate is used to (1) provide information about an entity’s identity and (2) securely exchange information over the internet using the entity’s public key. X.509 certificates have garnered a significant amount of trust over the years, and now cyber criminals are taking advantage of that trust. Since the famous Stuxnet attack, hackers have continued to use forged X.509 certificates – stolen from protected infrastructures or reputed certificate authorities – to sign their malware.
To make matters worse, there are also instances of certificate authorities issuing weak or improper certificates that give way to trusted malwares and even the impersonation of Google servers. What if Google – one of the top ten websites worldwide from a usage perspective – failed to identify an impersonation? No one wants to contemplate the answer to such a frightening – but important –question. Scenarios like these have seriously called into question the level of security X.509 certificates are entrusted with online.
However, the technology itself is not to blame. Instead, it’s the improper use of the technology that should be re-evaluated. Now that SSL/TLS certificates (a variation of X.509 certificates) are the face of your enterprise online, it is the user’s responsibility to take the security measures necessary to protect them. Otherwise, attacks like those executed through CertLock are inevitable.
How to counter CertLock?
Jérôme.B, a ToolsLib.net sysadmin and the brains behind Malwarebytes AdwCleaner, developed a tool called AVCertClean that can undo all changes made by CertLock. This tool scans the disallowed registry key in Windows and automatically removes blocks from legitimate keys. Users can then successfully install and run the affected security programs on their systems without encountering problems.
CertLock signals the beginning of a new wave of certificate-based attacks that block trusted security programs by compromising their X.509 certificates. Going forward, users must exercise extreme caution when installing free software and resist the temptation of blindly accepting all terms and conditions.
Given PKI technology is secure, the use of X.509 certificates in secure communications and authentication is only going to increase. As a result, there will be more certificates for enterprises to track and manage on a daily basis. To put it simply, using manual methods like spreadsheets will definitely not get the job done. Users must adopt specialized tools like AppViewX’s Certificate Lifecycle Automation solution to help manage and automate the entire certificate lifecycle, extinguishing threats before it’s too late.