[cryptography] Digitally-signed malware

Arshad Noor arshad.noor at strongauth.com
Wed Jun 22 11:10:04 EDT 2011


On 06/22/2011 08:04 AM, Marsh Ray wrote:
> On 06/22/2011 09:40 AM, Steven Bellovin wrote:
>> http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
>>
>>
>> Not surprising to most readers of this list, I suspect...
>
> The interesting thing is that code signing schemes have been around for
> decades but 2010 is the first time malware even bothered to steal
> signing keys. :-)
>

Not true; an attack on VeriSign in 2000 caused them to issue two Class-3
digital certificates in the name of Microsoft.  The perpetrators were
never caught and to this day, Windows ships with a specific CRL that
identifies these two certificates - you'll find them in your cert trust-
store:

http://support.microsoft.com/kb/293818

There have been other private-key thefts since 2000, but the VeriSign
attack is the earliest I can recall in my PKI-related career.

Arshad Noor
StrongAuth, Inc.



More information about the cryptography mailing list