Fake Certificate in Malware – with Message

The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! :)”, also adding random data behind the certificate.

We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time.

In this special case, our heuristics already notice other suspicious properties of the file and Avira thus detects the malware as TR/Crypt.ULPM.Gen.

Stefan Kurtzhals
Engine R&D

Dirk Knop
Technical Editor