[cryptography] Digitally-signed malware
arshad.noor at strongauth.com
Wed Jun 22 11:10:04 EDT 2011
On 06/22/2011 08:04 AM, Marsh Ray wrote:
> On 06/22/2011 09:40 AM, Steven Bellovin wrote:
>> Not surprising to most readers of this list, I suspect...
> The interesting thing is that code signing schemes have been around for
> decades but 2010 is the first time malware even bothered to steal
> signing keys. :-)
Not true; an attack on VeriSign in 2000 caused them to issue two Class-3
digital certificates in the name of Microsoft. The perpetrators were
never caught and to this day, Windows ships with a specific CRL that
identifies these two certificates - you'll find them in your cert trust-
There have been other private-key thefts since 2000, but the VeriSign
attack is the earliest I can recall in my PKI-related career.
More information about the cryptography