According to security expert Eric Romang, cybercriminals changed the practice of spreading malicious programs with Java additions. They started using stolen digital certificates belonging to actual companies.
Romang stated that the Java-applet was found on the German website hxxp://dict.tu-chemnitz.de/, which was infected with a set of g01pack exploits. Java-applet, signed by a stolen certificate belonging to the U.S. company Clearesult Consulting, was considered as valid, despite the fact that it was revoked.
According to VirusTotal, malicious Java-applet is not detected by antivirus programs (although some parts are defined as suspicious), and is installed on the victim’s machine in the guise of ClearWeb Security update.
If the applet found by Romang behaves exactly as described by the expert, the users will have to check the validity of the certificate during every installation process in order to verify its authenticity.
