[cryptography] Digitally-signed malware

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jun 22 11:22:59 EDT 2011


Marsh Ray <marsh at extendedsubset.com> writes:
>On 06/22/2011 09:40 AM, Steven Bellovin wrote:
>> http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
>>
>> Not surprising to most readers of this list, I suspect...
>
>The interesting thing is that code signing schemes have been around for
>decades but 2010 is the first time malware even bothered to steal signing
>keys. :-)

Just to split hairs, malware has stolen signing keys for years, but it's only
in the last few years that malware vendors have started using them.  It's also
been evolving for awhile, see Jarno Niemelä's blog at F-Secure for more on
this, or his summary "It.s Signed, therefore it.s Clean, right?" from last
year's CARO workshop.

>What happens if the bad guy just strips the signature?  [...]

See Jarno's talk on some of the techniques that the bad guys have used over
time.

>MSIE displays the name to the user when prompting to run ActiveX controls.

Yup, names like "Trusted program" and "Click OK to continue" and "Approved by
Microsft" and the like.  In the 1980s people used to create zip files with
names like "CON:" in them for a joke, two decades later the same types of
trick still work just fine.

Peter.



More information about the cryptography mailing list