Comodo continues to issue certificates to known Malware

I was following up on a list of malware sites posted on Dancho Danchev’s Blog and yet again I find Comodo issuing certificates to these Malware writers. The reason I say again is I was given a “secret” email address at Comodo a while back to report these culprits … however I was asked to keep it quiet.

As you can see my Antivirus detects the download as malicious and breaks the connection … however when I click the “Buy” button what do I find? You guessed it … a certificate issued by Comodo … don’t these people check out anyone?

Several other sites mentioned in the list are using (76.76.103.163)  secure.a5bill. com
[Issuer]
  CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB

[Serial Number]
  00B33E45471F5FDF745564B85336A50AA3
————————————————

“secure.a5bill.com” is hosted on the same IP as the following and all the downloads are detected as Win32/Adware.CoreguardAntivirus
coreguard-antivirus. com
guardlab2009. biz
guardlab2009. net
guardlab2009. com (Google Diagnostic report)

Some of the others on the above list are using:
fullguardlab. com
== Server Certificate ==========
[Subject]
  CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00912B6C954BB5BEA83000C4599B9A5C13

bitcoreguard. com
== Server Certificate ==========
[Subject]
  CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00912B6C954BB5BEA83000C4599B9A5C13
————————————————-

So this got me to thinking … a while back (04-21-09) I reported to Comodo via their secret address a list of sites distributing malicious software … although I never received a reply as I did when I reported “Conficker systems being updated with SpywareProtect2009” which Comodo had issued a certificate to.

Anyway … I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report …

rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:

secure.xsoftstore. com

== Server Certificate ==========
[Subject]
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00C6AC84946462C7F3EADC5565AE3156A4
[Not Before]
  1/27/2009 7:00:00 PM
[Not After]
  4/28/2009 7:59:59 PM <– notice the expiration Date

I just revisited rapid-antivirus2009. com and Comodo issued them a new certificate …

== Server Certificate ==========
[Subject]
  CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
  CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
  00C2ECCD1FEFB7508CA5D7ADB6E405E192
[Not Before]
  4/29/2009 8:00:00 PM
[Not After]
  7/29/2009 7:59:59 PM

Comodo is supposed to be one of the good-guys … and they even describe themselves as “Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider” … however I have been reporting on them since the WinFixer days and it seems it just falls on deaf ears … and now that they bundle the Ask Toolbar it really makes you wonder …



Comments are closed.