Newsletter: Who do you trust? - Privacy Software Corporation

Privacy Software Corporation Newsletter

Monday, July 24, 2006

WHO DO YOU TRUST?

SYNOPSIS:

On Saturday, July 22, 2006 we added a "signature" to BOClean called "QUOVADIS" based upon a submission to us by one of our external malware research partners. The submission was reviewed by one of our own malware analysts and was determined to be extremely suspicious because it modified the Windows registry "trusted certificates" store and that's always a "no-no." The fact that it was submitted out of context to its origin unfortunately lead us to believe by its design and nature that it was a Mozilla hijacker since it appeared to be legitimate and yet didn't pass the "smell test" because of its internal contents and behavior. We encounter similar "infections" often. The decision was "unfortunately" made to err on the side of caution and INCLUDE it in BOClean's update of that day.

Within a little over an hour, based upon numerous complaints of a "false positive," we removed detection for the NSSCKBI.DLL file as QUOVADIS malware. Now, we're not quite sure if there actually isn't an issue there, though apparently not one that rises to the level of an actual piece of malware since Mozilla's browsers are "trusted." As is the case with any "surprise" here, a post mortem remains in progress on our end to bring closure and internal policy changes to prevent any future "unfortunate events" such as this.

Mozilla's NSSCKBI.DLL file contains a number of "secure sockets layer" (SSL) certificates, including certificates from several unknown and possibly dubious "certifying authorities." It is our opinion that there are some questions raised by the presence of this module and in particular its contents and its ability to modify the machines of users of Netscape, Mozilla and Firefox. Therefore, we hope some external and independent parties and other experts might examine this further, independent of us, to determine whether there actually is a concern here.

The "issue" as we see it is that the end user is not presented with the ability to accept or decline certificates by these unknown quantities, and once a certificate is "stored" on the machine, then any certificate granted by these authorities to others is now considered both "valid" and "safe." Further, the option to VIEW the existing certificates is not available to the user through Netscape/Mozilla/Firefox and is instead hidden in the Windows registry in a difficult to view and modify means.

We feel that this is a serious security risk since some of the "certifying authorities" embedded in this file are known to be used by a number of malware programs and because any download "signed" by any of these questionable certifying authorities would be downloaded, installed and run without warning because of the successfully "signed certificate." This is the crux of the issue as we see it, but disabling this file completely breaks Netscape/Mozilla/Firefox (as well as the winsock stack) as was reported when we learned of the "false positive." We had no choice but to immediately pull the "detection" as a result and assist a number of users ill-affected in restoring the "status quo" who had not received the update which resolved the problem.

It wouldn't have been an issue for us if people weren't punished by Netscape/Mozilla/Firefox for disabling or removing this module, because it appears to be a critical piece of Mozilla which provides a good bit of their "SSL functionality." The decision to leave it alone was difficult as we do see it as a security threat among our internal consensus. And that is why I'd like to offer this issue for others to discuss, form a concensus on the "groups" and recommend some options to the "Mozilla people" as to a preferable solution. We're only bringing this up because apparently nobody knew this was happening.

WHICH "AUTHORITIES" ARE INSTALLED?

An examination of NSSCKBI.DLL reveals a number of "certificate authorities," many well known and completely safe as well as a surprising number of "unknown CA authorities." The file itself seems to originate with Netscape Communications (part of AOL/TimeWarner) rather than Mozilla.org, and the listing captured from the DLL are as follows:

/**********************************************************
$Header: NSS Builtin Trusted Root CAs 1.53  May  8 2006 19:11:24 $
@(#)NSS Builtin Trusted Root CAs 1.53  May  8 2006 19:11:24
Builtin Object Token
NSS Builtin Object Cryptoki Module
Netscape Communications Corp.




Starfield Technologies, Inc.1200


The Go Daddy Group, Inc.110/
(Go Daddy Class 2 Certification Authority0


XRamp Security Services Inc1-0+
$XRamp Global Certification Authority0


Budapest1'0%
NetLock Halozatbiztonsagi Kft.1
Tanusitvanykiadok1402
+NetLock Expressz (Class C) Tanusitvanykiado0


AC Camerfirma SA CIF A827432871#0!
http://www.chambersign.org1 0
Global Chambersign Root0


Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0


TDC OCES CA0
030211083930Z
370211090930Z011
#http://www.certifikat.dk/repository0


TDC Internet1
TDC Internet Root CA0
Staat der Nederlanden1&0$


Sonera1
Sonera Class2 CA0
010406072940Z
210406072940Z091
FI1


SECOM Trust.net1'0%
Security Communication RootCA10
030930042049Z
230930042049Z0P1
JP1


QuoVadis Limited1%0#
Root Certification Authority1.0,
%QuoVadis Root Certification Authority0
Reliance on the QuoVadis Root Certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certification practices, and the QuoVadis Certificate Policy.0"
http://www.quovadis.bm0 
BM1


Barcelona1
Barcelona1.0,
%IPS Internet publishing Services s.l.1+0)
"ips@mail.ips.es C.I.F.  B-609294521402
+IPS CA Timestamping Certification Authority1402
+IPS CA Timestamping Certification Authority1
ips@mail.ips.es0
011229011018Z
251227011018Z0
ES1


Salford1
Comodo CA Limited1%0#
Trusted Certificate Services
Comodo Trusted Services root
0~1
GB1
Greater Manchester1


PL1
Unizeto Sp. z o.o.1
Certum CA0
020611104639Z
270611104639Z0>1
PL1


Hamburg1
Hamburg1:08
1TC TrustCenter for Security in Data Networks GmbH1"0
TC TrustCenter Class 3 CA1)0'
certificate@trustcenter.de0
980309115959Z
110101115959Z0
DE1


VISA1/0-
&Visa International Service Association1
Visa eCommerce Root0
020626021836Z
220624001612Z0k1
US1


America Online Inc.1604
-America Online Root Certification Authority 20
020528060000Z
370929140800Z0c1
US1


Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1+0)
"UTN-USERFirst-Network Applications0
990709184839Z
190709185749Z0
US1


GeoTrust Inc.1
GeoTrust Global CA0
020521040000Z
220521040000Z0B1
US1


RSA Security Inc1
RSA Security 1024 V3
RSA Security 1024 v3
h%t
0:1
RSA Security Inc1
RSA Security 2048 V30


5http://www.betrusted.com/products_services/index.html0
6Reliance on or use of this Certificate creates an acknowledgment and acceptance of the then applicable standard terms and conditions of use, the Certification Practice Statement and the Relying Party Agreement, which can be found at the beTRUSTed web site, http://www.betrusted.com/products_services/index.html0
beTRUSTed1
beTRUSTed Root CAs1/0-
&beTRUSTed Root CA - RSA Implementation
beTRUSTed Root CA - RSA Implementation
O@0
0f1
beTRUSTed1
beTRUSTed Root CAs1301
*beTRUSTed Root CA - Entrust Implementation0
020411082427Z
220411085427Z0f1


AOL Time Warner Inc.1
America Online Inc.1705
.AOL Time Warner Root Certification Authority 20
020529060000Z
370928234300Z0
US1


Entrust.net1@0>
7www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.)1%0#
(c) 2000 Entrust.net Limited1301
*Entrust.net Client Certification Authority0
000207161640Z
200207164640Z0


ZA1
Western Cape1
Durbanville1
Thawte1
Thawte Certification1
Thawte Timestamping CA0
970101000000Z
201231235959Z0
ZA1



VeriSign, Inc.1<0:
3Class 3 Public Primary Certification Authority - G21:08
1(c) 1998 VeriSign, Inc. - For authorized use only1
VeriSign Trust Network0
000926000000Z
100925235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)001,0*


SE1
AddTrust AB1
AddTrust TTP Network1#0!
AddTrust Qualified CA Root
AddTrust Qualified Certificates Root


beTRUSTed1
beTRUSTed Root CAs1
beTRUSTed Root CA0
000620142104Z
100620132104Z0Z1
WW1
Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, and certification practice statement, which can be found at beTRUSTed's web site, https://www.beTRUSTed.com/vault/terms01
%https://www.beTRUSTed.com/vault/terms04


VISA1/0-
&Visa International Service Association1
GP Root 20
000816225100Z
200815235900Z0a1
US1


Equifax Secure1&0$
Equifax Secure eBusiness CA-21
CRL10
20190623121445Z0
V3.0c
5X=)
0N1
US1


Baltimore1
CyberTrust1"0
Baltimore CyberTrust Root0
Entrust.net1@0>
7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#
(c) 1999 Entrust.net Limited1301
*Entrust.net Certification Authority (2048)0
991224175051Z
191224182051Z0


ValiCert Validation Network1
ValiCert, Inc.1503
,ValiCert Class 3 Policy Validation Authority1!0
http://www.valicert.com/1 0
info@valicert.com
RSA Root Certificate 1


GlobalSign nv-sa1
Root CA1
GlobalSign Root CA0
980901120000Z
140128120000Z0W1
BE1


Salt Lake City1$0"
Digital Signature Trust Co.1
DSTCA X21
DST RootCA X21!0
ca@digsigtrust.com0
981130224616Z
081127224616Z0
us1


ABA.ECOM, INC.1
ABA.ECOM Root CA1$0"
admin@digsigtrust.com0
990712173353Z
090709173353Z0
US1
DC1
Washington1


Western Cape1
Cape Town1
Thawte Consulting cc1(0&
Certification Services Division1!0
Thawte Premium Server CA1(0&
premium-server@thawte.com
Thawte Premium Server CA
ZA1


GTE Corporation1'0%
GTE CyberTrust Solutions, Inc.1#0!
GTE CyberTrust Global Root0
980813002900Z
180813235900Z0u1
US1


c:\builds\tinderbox\Fx-Mozilla1.8.0-Release\WINNT_5.2_Depend\mozilla\nss\nssckbi\nssckbi.pdb
**********************************************************/

The "root certificates" which this file places go into the Windows registry in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

and exists as "subkeys" of the above with GUID numbers to identify each subkey. Names are not used. The data for the various root authorities is unfortunately coded as "binary" rather than text, making viewing of the contents challenging, and no "viewer/editor" within Netscape/mozilla/Firefox is apparently available for their contents. Once "Certificates" are installed to the registry here, uninstalling the program which placed them will NOT remove these certificates. They go in, and they stay. And Mozilla will put them right back if you delete them yourself. They stay.

Since Microsoft stores these certificates as well as others under a GUID code, there is no name associated with any of these authorities either, except within the "BLOB data" stream. And because of the location in the registry where they exist, any certifying authority of "rogueish" nature will cause those root certificates to be applied to Internet Explorer or any other program requiring a "signed certificate" and therein lies our actual concern as it extends beyond "Mozilla" which can at least have its "downloads," "themes" and "extension" downloads turned completely off as an alternative when the "trust" relationship of a download is unknown. Such is not the case for some other programs which depend on a trusted relationship, in particular commerce of all kinds.

For those who might not be aware why "SSL" is so important and why we're raising this - when you go to a bank, "shop online" or other "secured" communication which brings up the "security lock" on a site, it is these "certificates" which are used to ensure the safety of any such transactions. Having questionable certifying sites, or sites that are unknown marked as "trusted" can be a problem. Numerous pieces of malware carry "trusted" certificates from Thawte, USERTRUST, BeTRUSTED and others, and the "disclaimers" present within the certificates that are not shown when this file is installed are "disturbing." While we don't intend to disparage these companies, fact is an awful lot of malware carries certificates issued by these entities.

The vast majority of "dialer" malware carries Thawte certificates, as has 180 solutions(Zango - Hotbar - too many other aliases), Dollar Revenue ($revenue to us), coolwebsearch (CWS and others to us) and myriad other various malware purveyors with "signed code." It would seem that there is some sort of "revocation" problem with Thawte as many of these malware purveyors are well-known and have been with Thawte for more than 3 years minimum. USERTRUST offers "free" certificates to any and all comers and is highly popular with fraudulent vendors as well. Most of the remainder, even we have never heard of before. Feel free to google the names mentioned and study "free certificate" for yourself. It will be quite enlightening. Then there's the 'signers" no one's heard of. And that again is the problem. WHO are the unknown people saying, "you can install this silently without telling the customer because you're ... 'trusted.'" BY WHOM?

Verisign, RSA, Visa, Equifax, GTE and Thawte are obviously well-known and respected "CA's" but we've never heard of any of the others before, except for signing malware of all kinds. And many of the rest are completely unknown. The basis of the name "QUOVADIS" for this file originally was based on the unknown "vendor" repeating more often than others throughout the code in memory. We thought "QuoVadis" was the name of the coder's work. And "tinderbox" in the official name for this code is highly unfortunate too. There's a lot more complexity to malware analysis, but even a "rube" would smell something funny from the data above. It all just don't "smell" right even though it's "legit." Therein lies the problem. We invite any "security experts" to investigate this further and offer the public some information as they glean. And so, we leave the question of this DLL as "open" and might decide to cover it in the future should the "Mozilla team" fail to address what we, and others, see as a serious question. We're too busy with the malware overload unfortunately at the moment.

WHAT SHOULD I DO ABOUT THIS?

Right now, Mozilla and Firefox are still far more secure than Internet Explorer and its derivative "competing" browsers. What we _would_ suggest for everyone's protection is to go into the preferences for your browser and DISABLE the automatic installation of programs, downloads, themes and plug-ins. If you turn these things off, you will NEED to be attuned to any "security issues" raised in the future with what you're running, but keeping bad things out of Firefox is all-important. With these certificates installed by the mere "touch" of a Netscape/Firefox/Mozilla install, We'd declare Internet Explorer and pretty much everything else potentially toxic GIVEN that those certificates are "in there." And again, it's important to note that we're not BLAMING anyone, it's just how the reality is. Those entries are *in* the "trusted root certificates."

At the time you go to download and install anything, CHECK the certificate if one is offered by anyone you don't already know and trust. When you go to a "secure connection" anywhere, be SURE to check the certificate and its origin. Any time you engage in a "secure session," be SURE to check not only the certificate, but WHO issued it. If you don't recognize it as a certification authority that you know and trust, do NOT carry on with the site in question.

We recommend that Mozilla provide a tab on their configuration screen to allow people to examine WHICH certificates are installed and to either pop up a warning when that certificate is called, or better, to edit and/or remove any certificate authorities that they wish. But given the frequent issues with Internet Explorer, we do NOT recommend removing Mozilla or Firefox, we suggest that they be limited in their ability to automatically install anything based upon a certificate by any unknown certifying authorities.

And most of all, we strongly encourage discussion. Our customers pay us to be overly paranoid. Perhaps we're being too much so. Folks expect us to err on the side of protection, but sometimes that's "bad." Discussion is good, and may serve to get more information on who can be trusted, who cannot be and hopefully the Mozilla team" can be pressed to provide a "certificate control pane" in their browser so that individual users can revoke certificates themselves. Same for Microsoft, since this is their problem too.

But if you installed Netscape/Mozilla/Firefox, it's already IN there. Might as well stick with it until everyone can resolve this question. Our apolgies for "being the bearer" ... but the incident over detecting that as malware in the first place caused us to study it far deeper than is necessary with most ordinary malware. We sure hope we're wrong on this particular analysis, but then, we've been right before.

COPYRIGHTED MATERIAL:

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.