[cryptography] Digitally-signed malware

Tom Ritter tom at ritter.vg
Wed Jun 22 15:52:45 EDT 2011

> What happens if the bad guy just strips the signature? What are the
> circumstances under which an OS or user+OS will refuse to run code that just
> isn't signed at all?

In the case of Microsoft Clickonce, the Install Dialog is changed from
"Publisher: Discount Bob's Software & Hanggliding" to "Publisher:
Unknown Publisher" and the icon from a yellow shield to a red shield.
I took a look at Man-in-the-Middling Clickonce deployments last
summer.  Stripped the signature, decompiled to IL, injected code, and
recompiled all as part of a transparent proxy.

A similar project is Evilgrade:
although that's a framework for targeting different applications, each
one possibly behaving differently.


More information about the cryptography mailing list