CertLock Trojan Blocks Security Programs by Disallowing Their Certificates

A new trend in adware and unwanted program purveyors is to install protection software that makes it more difficult for Windows users to run their security programs and clean infections. This was seen with the SmartService rootkit that blocked AV software from running and now with a protection program being called CertLock.

Since the end of May, security forum helpers have noticed reports that people are not able to install and run security programs on their infected computers. When they try to run the programs, they are greeted with an alert that states that the publisher has been blocked from running on the computer.

It turns out that this is being caused by CertLock disallowing a security vendor’s certificate on the affected computer so that Windows does not allow the program to run.

CertLock disallows security vendor certificates Being commonly detected as Ceram or Wdfload by anti-virus vendors, CertLock is distributed by unwanted programs bundles, such as miners. Once installed, CertLock will block a security vendor's certificate by adding them to a special Windows registry key. This causes Windows to not execute any programs that are signed with that certificate.

Disallowed Certificates (Thumbprints): Security Vendor Thumbprint AVAST AD4C5429E10F4FF6C01840C20ABA344D7401209F AVAST DB77E5CFEC34459146748B667C97B185619251BA AVG 3D496FA682E65FC122351EC29B55AB94F3BB03FC AVG AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 AVG Technologies E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF Adaware 9132E8B079D080E01D52631690BE18EBC2347C1E Avira A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 BitDefender 18DEA4EFA93B06AE997D234411F3FD72A677EECE BitDefender ED841A61C0F76025598421BC1B00E24189E68D54 BullGuard A5341949ABE1407DD7BF7DFE75460D9608FBC309 Bullguard 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 Checkpoint Software 5240AB5B05D11B37900AC7712A3C6AE42F377C8C [b]Comodo 03D22C9C66915D58C88912B64C1F984B8344EF09 Comodo 872CD334B7E7B3C3D1C6114CD6B221026D505EAB[/b] CurioLab 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 Doctor Web 4420C99742DF11DD0795BC15B7B0ABF090DC84DF Doctor Web FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 ESET A59CC32724DD07A6FC33F7806945481A2D13CA2F ESET F83099622B4A9F72CB5081F742164AD1B8D048C9 Emsisoft 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF Emsisoft 5DD3D41810F28B2A13E9A004E6412061E28FA48D F-Secure 0F684EC1163281085C6AF20528878103ACEFCAAB FRISK 1667908C9E22EFBD0590E088715CC74BE4C60884 GData 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF K7 Computing 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 K7 Computing 7457A3793086DBB58B3858D6476889E3311E550E Kaspersky 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F Kaspersky D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 Malwarebytes 249BDA38A611CD746A132FA2AF995A2D3C941264 Malwarebytes B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 McAfee 775B373B33B9D15B58BC02B184704332B97C3CAF McAfee 88AD5DFE24126872B33175D1778687B642323ACF PC Tools 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 Panda FBB42F089AF2D570F2BF6F493D107A3255A9BB1A SUPERAntiSpyware 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A Safer Networking 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 Symantec 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF Symantec AD96BB64BA36379D2E354660780C2067B81DA2E0 ThreatTrack Security 9C43F665E690AB4D486D4717B456C5554D4BCEB5 ThreatTrack Security DB303C9B61282DE525DC754A535CA2D6A9BD3D87 Total Defense E22240E837B52E691C71DF248F12D27F96441C00 Trend Micro 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 Trend Micro CDC37C22FE9272D8F2610206AD397A45040326B8 Webroot 3353EA609334A9F23A701B9159E30CB6C22D4C59 Webroot 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361

Nice share. Looks like it’s not an all inclusive list, HitmanPro which is signed by Surf Right can bypass this. It is also possible to use an unsigned version of a clean up tool, that way you don’t need to use a bootable environment for cleanup.

And Microsoft can’t be blocked for obvious reasons. Actually I wonder what happens if Microsoft Vendors are blocked if that is possible, that could be a method for malware designed to shut down systems from working.

Reported :

https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2017-no-live-malware-t117716.0.html;msg860421#msg860421

I’ve seen it a bit late , but very interesting post :-TU

well…to disallow the certificate, it must execute something and change something in the hard drive…

With Comodo’s containment technology, whatever it does, will happen in virtualized environment and no change will be committed to the hard drive.

We don’t let unknown files have access to the gun so that they can shoot us!!!

No access to Hard Drive
No access to Registry
No access to COM interface…

No gun wound

Yea, but there is a problem when u try to install CIS in infected system by this trojan

thats fully right , but i think this szenario would , could be a problem for all antivirus programs

Many people probably don’t agree with me but in my opinion if a system has been infected then it’s forever contaminated, you might be able to clean it out but you don’t know what damage it has done to the OS or what else it has done. If a system is infected then in my personal opinion there is no need to clean it, start fresh.

I agree with you ! For the most types of malware , this is the best and safest thing you can do .

If only there was a way to go back in time before the infection occured.

Like a time machine.

A Comodo Time Machine.

Boom goes the hammer Melih.

agree 100%!!!

You can keep a computer clean without knowing what the malware does (Virtualization)
But you can’t clean a computer without knowing what the malware has done.
How will you know what kind of malware you have? You will only what you know and what you don’t know will still be there unnoticed…

Infected system…re-image!

Personally I use Macrium Reflect for that.