SSL (secure sockets layer) certificates are encryption programs that protect online communications. Many web services have added support for SSL encryption, and with recent revelations of large scale surveillance and bulk data collection by intelligence agencies, privacy-conscious web users have begun to adopt the technology.
But they aren’t the only ones. According to the Swiss security blog Abuse.ch, cybercriminals also use SSL certificates to encrypt traffic between malware-infected computers and command-and-control servers in an attempt to bypass intrusion prevention and detection systems.
An article in IT World, “SSL Blacklist project exposes certificates used by malware” details a plan by Abuse.ch’s botnet tracking initiative to track and create a list of SSL certificates used in botnet and malware operations.
Abuse.ch has been tracking command-and-control servers for malware threats like Zeus, SpyEye, Palevo and Feodo for several years and lists the IP addresses and domain names associated with those servers in order to help network administrators identify infected computers that attempt to communicate with them. In similar fashion, the outfit has launched a project to list SSL certificates used by some malware programs to hide their communications. “The SSL Blacklist” will list digital certificates — identified by their SHA1 cryptographic fingerprints — that are used by botnets.
So far the list contains “127 certificates including some that cybercriminals generated themselves instead of buying from a trusted certificate authority. The majority of certificates are used in the command-and-control operations of KINS, Shylock and Vawtrak, three distinct malware threats that target online banking users,” according to IT World. This list will undoubtedly grow as and prove to be a valuable tool in identifying cyber threats.