Author Topic: Fraudulent certificates in certmgr.msc  (Read 26799 times)

0 Members and 1 Guest are viewing this topic.

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #15 on: February 24, 2015, 04:35:34 AM »
...The difference between any user that knows what they are doing and the ones that don't, basically is the difference between fixing something that needs to be fixed and not fixing things that don't...
Which is exactly why I am asking and not doing anything yet.

So please if you could tell me, should I delete any of the untrusted and fraudulent certificates or not? Are any of them (in attachment above) dangerous or harmful to have on my computer, or are they all fine?

If you can answer my question (which is what I asked in my original post) I would appreciate it very much! Since then I would know what to do regarding this issue.

Thank you in advance!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: Fraudulent certificates in certmgr.msc
« Reply #16 on: February 24, 2015, 07:28:58 AM »
It may not be necessary to delete any untrusted certificates due to the fact that these untrusted certificates are there in that folder will mean they cannot be used again by Windows or any other program: 
http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista
Expand the 'Show all' link and read the entire thing.

http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html

Read both and then come back to share what you understand why certificates are necessary.  You may well find the answer you seek just from these two links. 

If you still need help please post that too.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #17 on: February 25, 2015, 01:25:13 AM »
Thank you for those links!

So I gather from you that I shouldn't delete any untrusted or fraudulent keys because in reality, they're shields against those untrusted attempts if they're made against my browser/computer?

Also, how could I know if there's ever a certificate in my certmgr.msc that's fake and malicious (for real, and not a "Shield" against a malicious attempt but the attempt itself)?

Thank you very much mchain!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Fraudulent certificates in certmgr.msc
« Reply #18 on: February 25, 2015, 01:36:59 AM »
Quote
Also, how could I know if there's ever a certificate in my certmgr.msc that's fake and malicious
Search and do research. Learn how things are working, what they do (or don't) etc. It all starts with knowledge. Nothing personal and no offense mend, but so far you are only asking about things that are really way over your head. My advise, start with learning the basic things first.

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #19 on: February 25, 2015, 01:59:33 AM »
My advise, start with learning the basic things first.
Such as?

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #20 on: February 26, 2015, 02:23:38 AM »
My advise, start with learning the basic things first.
Such as?
So Eddy, would you like to give me some examples, or just tell me off again?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Fraudulent certificates in certmgr.msc
« Reply #21 on: February 26, 2015, 04:28:40 PM »
Obviously you know the basics. It also seems as if you take a strong interest in the Malware industry.. Correct?

Start with the easy stuff. How Batch Files work, CMD etc, then slowly move your way up. Do research, practice, more research etc. (Any practicing you do should be done inside of a Virtual Machine!!)
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #22 on: February 26, 2015, 04:53:23 PM »
Michael is right, do some reading here: https://forum.avast.com/index.php?topic=166044.0
and https://forum.avast.com/index.php?topic=129271.0
Read about protocols, read about CMS and server software updates, outdated themes, plug-ins.
Learn about dns, SSL, Poodle, Beast etc. Scan with http://toolbar.netcraft.com/site_report/
and analyze website's code here: http://toolbar.netcraft.com/site_report/
Do your analysis and reading inside a browser with NoScript and RequestPolicy extensions active and the browser should be running in a Virtual Machine/sandbox. Clean your sandbox every other day or after fear of encountering some threat and also cleanse your computer with CCleaner disconnected.
To detect malcode on your own machine, yes that is thoroughly possible now download process-explorer and autoruns and know you can start VT scans from inside there.
For site evaluation download the Malzilla browser. But be aware what you do, no one can help you when you have encountered a file-infector like Virut, it is bye-bye system then.
Never click any link, just cut and paste and do third party cold reconnaissance scans. So never, I repeat never visit the site to be analyzed itself (this even may be illegal to do as give results to it in public).

Checking on code do a jsunpack scan - or use this uri debugger scan: http://linkeddata.informatik.hu-berlin.de/uridbg/

Always remember to proceed patiently and learn this step by step, Krakau was not built in one day as was Cologne. Good luck to you,

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Fraudulent certificates in certmgr.msc
« Reply #23 on: February 26, 2015, 05:19:22 PM »
My own research methods are a tad different to normal research methods,

My approach is normally on finding new types of adware/malware/trojens.

On a daily basis I often stumble across malware while searching across perfectly normal sites, social media pages and server logs. Once you discover a potential threat on sites use checkers such as Virustotal, Malwr.com and urlquery to try and see if the threat has been actively scanned upon. If they are and vendors are proactively blocking the files in question you can move onto the next case, however if they arn't then it's time to talk to the community, provide your evidence to them including the MD5 hashes (so these can be looked up files for verification, an MD5 Hash is a digital finger print of a file.)


Some advice i can offer (still pretty new at searching for APTs)

Start to get to know research toolkits. WinHex can do wonders for in-depth forensics analysis of files at the Binary level, Open forensics toolkits such as the TSK Autopsy Kit.
Start to learn Linux/Unix systems, Ubuntu is a good/safe operating system to do checks behind with cuckosandbox. I would recommend running rkhunter on the system after you have done any tests inside a virtual computer. Normally a good VM for malware analysis is Oracle Virtualbox (free to download)
Start to read information security news sources (Darkreading is an excellent place to get information about emerging threats.)
Look into active malware hunting communities, Project Honeypot is a great example of communities across the world working together to discover malware.
Start to read books on coding, A good first language to learn is Python, Then move up to C#/.NET (which is becoming open source shortly so the demand for C# researchers will come in handy).

Finally Remember with great power comes great responsablity!

Not sure if this helped, if it did awesome! :D


 

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #24 on: March 01, 2015, 01:44:48 AM »
Thank you all for your input!

Now I have a simple question that I hope someone can answer for me.
It seems from these 2 articles (linked to above):
http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista
http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html, that one shouldn't delete
that one shouldn't delete "untrusted" certificates, but it doesn't address Fraudulent certificates.
So, should I delete any of the Fraudulent certificates in the above-attached list, or not?
If anyone can just tell me if yes or no, I would very much appreciate it.
Thank you!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #25 on: March 01, 2015, 01:51:22 AM »
Hi ehmen,

In windows in command prompt check certificate revocation and give in:
Quote
certutil -f –urlfetch -verify [FilenameOfCertificate]
example:
Quote
certutil -f –urlfetch -verify mycertificatefile.cer

Check the list here: http://www.entrust.net/ssl-technical/revoked.cfm

polonus
« Last Edit: March 01, 2015, 01:56:45 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #26 on: March 01, 2015, 02:14:21 AM »
Thank you polonus for addressing my question!

So how do I plug a certificate called "global trustee" or "VeriSign Commercial Software Publishers CA" into the above command? (certutil -f –urlfetch -verify mycertificatefile.cer)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Fraudulent certificates in certmgr.msc
« Reply #27 on: March 01, 2015, 05:33:27 PM »
You should know where that certificate is and the exact position of file and file name and then give it in in the command prompt in the required format. It is a pity you were not brought up with DOS command txt books and worked commands like ipconfig /all and C:/Users/computername/netstat & cd & cd/.. to go back to C:/Users/computername/ and again cd/..  to go back to C:/Users/  :P
In such cases as this it is still nice to have the skills. The folks that learned computing around the turn of the century still can do these command prompt shortcuts.  ;

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ehmen

  • Poster
  • *
  • Posts: 498
Re: Fraudulent certificates in certmgr.msc
« Reply #28 on: March 01, 2015, 06:08:10 PM »
You should know where that certificate is and the exact position of file and file name and then give it in in the command prompt in the required format.
I just know whatever it says in the Certificate Manager list.
Is there a way I could find the position of file and filename, etc.?
Thank you.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!