June 19th Opera under attack - check if you use Opera

Security breach stopped

By Sigbjørn VikSigbjorn. Wednesday, June 26, 2013 11:02:29 AM
hacking, code signing, Opera

At Opera Software, we are committed to the security and privacy of our users. This is paramount to us, and as such, we want to share the details of a recent incident with you.

On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.

The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.

It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

Users are strongly urged to update to the latest version of Opera as soon as it is available, keep all computer software up to date, and to use a reputable anti-virus product on their computer. For more information about the malware, including which anti-virus applications can detect it, virustotal has a good overview.

Does this mean Comodo should temporarily remove Opera from the TVL?

According the VirusTotal the certificate used to sign it has expired, shouldn’t CIS then logically assume that the file is no longer trusted and should hence not be matched with Opera in the TVL?

Either way Comodo should detect the malware according to VirusTotal but that doesn’t mean they can’t sign new malwares.

So if CIS doesn’t care if the certificate has expired or not then yes I’d say temporarily remove Opera from the TVL, however if CIS cares about expired certificates in a “logical” way i.e treats them as if they were not signed at all then there shouldn’t be a problem.

an expired code signing certificate is still trusted.
It must be revoked.

Does anyone know who the issuer of this Code Signing certificate is or if its revoked or not?

Is there a specific reason not to remove the trusted status for files with expired certificates? To me it seems like a bad idea to trust expired certificates and as demonstrated by this incident, a security hole/weakness. So unless the answer to my previous question is “Yes” and the reason being darn good, I’d like to propose a wish that expired certificates are not trusted and files with expired certificates are assumed to be unknown or similar.

I do not know if it helps, but on this virustotal page is the malware and under “File Detail” you can get more information about the signature. I myself haven’t got enough knowledge about certificates to answer that question accurately 88)

Edit: Off-topic question: Does CIS pay attention to revoked certificates? If so how does it handle those files?

:P0l Windows user there is a good description done by F-Secure according - How to deal with Windows code manipulation & a part according the problem of stilling certificate http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf

PDF format .

Will be nice if Comodo release something like that (:WAV)

Opera was always my best browser , but the last years They just let the browser down (:AGY)

Comodo UnclassifiedMalware 20130627

The latest Virus Total report as Above Comodo find it as unclassified Malware.

Report here 2013-06-27 16:02:51 UTC ( 4 minutes ago )

SSL: Intercepted today, decrypted tomorrow

Wort to be read :-TU SSL: Intercepted today, decrypted tomorrow | Netcraft News