[cryptography] Digitally-signed malware

Marsh Ray marsh at extendedsubset.com
Wed Jun 22 11:04:56 EDT 2011

On 06/22/2011 09:40 AM, Steven Bellovin wrote:
> http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
> Not surprising to most readers of this list, I suspect...

The interesting thing is that code signing schemes have been around for 
decades but 2010 is the first time malware even bothered to steal 
signing keys. :-)

What happens if the bad guy just strips the signature? What are the 
circumstances under which an OS or user+OS will refuse to run code that 
just isn't signed at all?
64-bit drivers for Windows Vista and later. Some locked down "walled 
garden" environments, almost always jail-breakable in practice.

When does the name of the party that signed it actually matter?
What if the bad guy signs the malware with some unrelated party's cert?

When any valid signature will do, the effective security provided by the 
code signing scheme decreases exponentially with the total number of 
signing certificates issued. MSIE displays the name to the user when 
prompting to run ActiveX controls. The user is expected to be able to 
determine if the name on the control is correct and refuse to run it if not.

Even if the correct party is required to have signed the code, the bad 
guy can commonly redistribute an older (properly signed) version with a 
security hole which he then exploits. Thus revocation is even more 
critical than with identity certificates.

Code signing. Occasionally useful.

- Marsh

More information about the cryptography mailing list