F-secure detected a malware that has been signed with a code signing certificate.  An unsigned Windows application will produce a warning to the end user if he downloads it from the web but signed applications won't do this. Also some security systems might trust signed code more than unsigned code.

The attacker may create fake CA or steal code signing certificates (and their passphrases) so they can sign code as someone else.

Publisher: Adobe Systems Incorporated
Copyright: Copyright (C) 2010
Product: Adobe Systems Apps
File version: 8, 0, 12, 78
Comments: Product of Adobe Systems

And the signing info was:

Signer: anjungnet.mardi.gov.my
Digisign Server ID (Enrich)
GTE CyberTrust Global Root
Signing date: 5:36 24/08/2011

This is CA of Malaysian Government : Malaysian Agricultural Research and Development Institute, this certificate has stolen some time ago.

The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8. The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esupplychain.com.tw.


F-Secure detect this malware as Trojan-Downloader:W32/Agent.DTIW. MD5 hash is e9f89d406e32ca88c32ac22852c25841.

As the mardi.gov.my certificate expired in the end of September, the malware can't take advantage of this signature anymore.

Malaysian Government has been informed about the case.