Comodo continues to issue certificates to known Malware
I was following up on a list of malware sites posted on Dancho Danchev's Blog and yet again I find Comodo issuing certificates to these Malware writers. The reason I say again is I was given a "secret" email address at Comodo a while back to report these culprits ... however I was asked to keep it quiet.
As you can see my Antivirus detects the download as malicious and breaks the connection ... however when I click the "Buy" button what do I find? You guessed it ... a certificate issued by Comodo ... don't these people check out anyone?
Several other sites mentioned in the list are using (76.76.103.163) secure.a5bill. com
[Issuer]
CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00B33E45471F5FDF745564B85336A50AA3
------------------------------------------------
"secure.a5bill.com" is hosted on the same IP as the following and all the downloads are detected as Win32/Adware.CoreguardAntivirus
coreguard-antivirus. com
guardlab2009. biz
guardlab2009. net
guardlab2009. com (Google Diagnostic report)
Some of the others on the above list are using:
fullguardlab. com
== Server Certificate ==========
[Subject]
CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00912B6C954BB5BEA83000C4599B9A5C13
bitcoreguard. com
== Server Certificate ==========
[Subject]
CN=fullguardlab. com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00912B6C954BB5BEA83000C4599B9A5C13
-------------------------------------------------
So this got me to thinking ... a while back (04-21-09) I reported to Comodo via their secret address a list of sites distributing malicious software ... although I never received a reply as I did when I reported "Conficker systems being updated with SpywareProtect2009" which Comodo had issued a certificate to.
Anyway ... I went back and checked the sites I last reported and it seems Comodo has decided to ignore my report ...
rapid-antivir-2009. com
rapid-antivir2009. com
rapid-antivirus2009. com = all redirect to:
secure.xsoftstore. com
== Server Certificate ==========
[Subject]
CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00C6AC84946462C7F3EADC5565AE3156A4
[Not Before]
1/27/2009 7:00:00 PM
[Not After]
4/28/2009 7:59:59 PM <-- notice the expiration Date
I just revisited rapid-antivirus2009. com and Comodo issued them a new certificate ...
== Server Certificate ==========
[Subject]
CN=secure.xsoftstore.com, OU=Free SSL, OU=Hosted by LiderTelecom LTD, OU=Domain Control Validated
[Issuer]
CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
00C2ECCD1FEFB7508CA5D7ADB6E405E192
[Not Before]
4/29/2009 8:00:00 PM
[Not After]
7/29/2009 7:59:59 PM
Comodo is supposed to be one of the good-guys ... and they even describe themselves as "Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider" ... however I have been reporting on them since the WinFixer days and it seems it just falls on deaf ears ... and now that they bundle the Ask Toolbar it really makes you wonder ...