Fake Google Root Certificates Seen in the Wild20 Apr 2017
I've received user reports about a suspicious Google root certificate that my RCC scanner picked up on their Windows systems. The details of the root cert are as follows:
Sha1 thumbprint: 33FCD70343BBE07972D73CDEFDEB3C9F4DCEFE28 Validity: 2015-07-21 23:05:08 -> 2020-07-20 23:05:08 Usage: Enabled for all purposes
The .CER file is available here. (careful!)
Checking against the official trust stores, it quickly became obvious this was a forged root certificate.
After some more research I discovered a whole bunch of shady installers for popular software
that have digital signatures chaining up to the above root. A few examples include:
MD5 FILENAME 0b01e26a59e7c37089277b71a0fd1f62 Pepper_Flash_Player_22.214.171.124.plugin.paf.exe 9e7ab1c2046f8af7f1c80ad8357accb1 officeportable_126.96.36.19917_multilingual_rev.4.paf.exe c4e9005a5ca9bf03f0d74cfe389ba120 JDownloaderPortable_2.0.paf.exe 27236776af91c15d318422303ff610fe EverythingPortable_...lingual_Rev.1_online.paf.exe 3733bbb42d9d2c9c72f99ab33eb0e385 easeus data recovery wizard te x86+x64 9.5.0.paf.exe c2b8f1f44c6e9f444e4db75d5df48ae1 jreDownloader_8.0.660.18_32bit_64bit.plugin.paf.exe 21d7c80baf93c2bc7fe896a10fc3b697 ChromePortable.exe
So far it seems the root has been primarily used to issue Authenticode certificates, but since it has all EKUs enabled, it could be misused to cause much more damage.
What I could not find out with my limited resources is how it gets added to the trusted certificate stores of some PCs in the first place.
Both Google and Microsoft security were notified.
Edit 1: There are unconfirmed reports of a second certificate, mostly similar to the above but with a different thumbprint.