[cryptography] 512-bit certs used in attack

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Nov 28 06:13:55 EST 2011

Marsh Ray <marsh at extendedsubset.com> writes:
>On 11/27/2011 09:57 PM, Peter Gutmann wrote:
>> Unfortunately this doesn't explain how they go the 1024-bit and
>> longer keys that were also used in the attack.
>Is that true? I haven't seen this reported. Link?

Off-list :-).  Oh, wait a minute, there's at least an indirect reference on a
public page at http://www.f-secure.com/weblog/archives/00002269.html:

  The malware downloads additional malicious components from a server called
  worldnewsmagazines.org. Some of those components are also signed, although
  this time by an entity called www.esupplychain.com.tw.

Those were again 512-bit certs though, in fact the Fox-IT article is rather
confusing in this regard, it lists the following:

    * lfxsys.lfx.com.my (Digicert Sdn. Bhd.)
    * webmail.jaring.my (Digicert Sdn. Bhd.)
    * mcrs2.digicert.com.my (Digicert Sdn. Bhd.)
    * ad-idmapp.cityofbristol.ac.uk (Cybertrust)
    * stfmail.ccn.ac.uk (Cybertrust)
    * skillsforge.londonmet.ac.uk (Cybertrust)
    * agreement.syniverse.com (GlobalSign Inc)
    * www.esupplychain.com.tw (TAIWAN-CA.COM Inc.)
    * ahi.anthem.com (Anthem Inc)

as "certificates we found to be used in the wild recently" (presumably as part 
of the attack), but only three of the nine are from Digicert.  Since Digicert 
was cross-certified by a key formerly belonging to GTE Cybertrust I could see 
the "Cybertrust" listed above as possibly being more DigiCert (but why would 
the UK government be buying certs from them?), but if that list is of 512-bit 
certs then it also means that GlobalSign (major public CA), as well as two 
others, Taiwan-CA (lesser-known public CA... hey, were you aware that your 
browser implicitly trusts these guys?) and Anthem (unknown, presumably one of 
the vast number of sub-CAs that no-one knows exist), were also issuing 512-bit 
certs used to sign malware.  I wonder when we'll see Cybertrust and GlobalSign 
and Taiwan-CA get their CA certs pulled?

The Fox-IT article then goes on to say "we can find two certificates in there
which we know that have been abused"... what happened to the nine certs above?

>Possibly this is built on some assumptions, but its seems to be the simplest
>explanation for the data. I.e., how many ways are there for an attacker with
>the goal of stealing certs to use in an attack and end up getting caught with
>nine 512 bit ones?

I agree that that makes it a bit unlikely, although "hosted in the same data
centre/vhosted on the same server" would be one easy explanation (the Jaring
webmail and Digicert servers are on the same AS, indicating they're
potentially in the same data centre, but then the other one isn't).  There's
also the Fox-IT comment for one of the certs, "why would the attackers go
through great lengths of factoring the RSA key and using it to sign their
executables, if it did not pass verification?".  Having said that, if the
above is indeed accurate (and that depends on how you interpret the info in
the Fox-IT article), that a number of different CAs all issued 512-bit certs
and they were all compromised, then it does look like they were obtained by
factorisation.  It's quite an illogical attack vector though, given how easy
it is to get full-strength dedicated code-signing certs the standard way...

I think I'll contact the Fox-IT person who wrote the article for
clarification, it's kinda hard to figure out who was responsible for which
compromised certs and which ones were actually used in the attack.  I'll
post any info I get back here.


More information about the cryptography mailing list