[cryptography] How are expired code-signing certs revoked?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Dec 8 23:27:32 EST 2011


<dan at geer.org> writes:

>One would assume that the effort to get such a signing certificate would 
>persuade the bad team to use that cert for targeted attacks, not broadcast 
>ones, in which case you would be damned lucky to find it in a place where you
>could then encapsulate it in a signature-based protection scheme.

My post was based on data gathered by a well-known anti-malware company, I'm 
just reporting what they found in real-world use.

In any case getting signing certs really isn't hard at all.  I once managed it 
in under a minute (knowing which Google search term to enter to find caches of 
Zeus stolen keys helps :-).  That's as an outsider, if you're working inside 
the malware ecosystem you'd probably get them in bulk from whoever's dealing 
in them (single botnets have been reported with thousands of stolen keys and 
certs in their data stores, so it's not like the bad guys are going to run out 
of them in a hurry).

Unlike credit cards and bank accounts and whatnot we don't have price figures 
for stolen certs, but I suspect it's not that much.

Peter.



More information about the cryptography mailing list