[cryptography] Digitally-signed malware
tom at ritter.vg
Wed Jun 22 15:52:45 EDT 2011
> What happens if the bad guy just strips the signature? What are the
> circumstances under which an OS or user+OS will refuse to run code that just
> isn't signed at all?
In the case of Microsoft Clickonce, the Install Dialog is changed from
"Publisher: Discount Bob's Software & Hanggliding" to "Publisher:
Unknown Publisher" and the icon from a yellow shield to a red shield.
I took a look at Man-in-the-Middling Clickonce deployments last
summer. Stripped the signature, decompiled to IL, injected code, and
recompiled all as part of a transparent proxy.
A similar project is Evilgrade:
although that's a framework for targeting different applications, each
one possibly behaving differently.
More information about the cryptography