Signed malware stalks HP's Windows boxes
October 15, 2014
HP will be revoking a security certificate for its Windows-based systems on Oct. 21, and the vendor isn't sure yet how that will impact system reliability.
The bundled software on older HP PC systems has been at risk of being the front-man for malware, according to a report in the Kerbs on Security website. This code-signing is supposed to give computer users and network admins confidence about a program's security and integrity. HP's Global Chief Security Officer Brett Wahlin said the company is revoking a certificate it's been using even before 2010.
HP was recently alerted by Symantec about a curious, four-year-old trojan horse program that appeared to have been signed with one of HP’s private certificates and found on a server outside of HP’s network. Further investigation traced the problem back to a malware infection on an HP developer’s computer.
HP investigators believe the trojan on the developer’s PC renamed itself to mimic one of the file names the company typically uses in its software testing, and that the malicious file was inadvertently included in a software package that was later signed with the company’s digital certificate. The company believes the malware got off of HP’s internal network because it contained a mechanism designed to transfer a copy of the file back to its point of origin.
The means of infection here is the junkware shipped with all PCs, including HP's, according to HP 3000 consultant and open source expert Brian Edminster. In this case, the revoked certificate will cause support issues for administrators. The certificate was used to sign a huge swath of HP software, including crucial hardware and software drivers and components that are critical to Windows.
"This is one of the reasons that I absolutely loath all the 'junkware' that is commonly delivered along with new PCs," Edminster said. "I end up spending hours removing it all before I use a new PC." Recovery partitions on Windows systems will be at unknown risk after the certificate is pulled Oct. 21, too.
"For me, this junkware is just chaff," Edminster said, "and an opportunity to clog up a machine that's supposed to be pristine and new. To say nothing of increased opportunities for the sort of thing outlined in the Kerbs article."
HP's Security officer Wahlin said that admins will have to wait to see the impact of that revoked certificate, according to the article.
The interesting thing that pops up here — and even Microsoft doesn’t know the answer to this — is what happens to systems with the restore partition, if they need to be restored. Our PC group is working through trying to create solutions to help customers if that actually becomes a real-world scenario, but in the end that’s something we can’t test in a lab environment until that certificate is officially revoked by Verisign on October 21.