[cryptography] Microsoft Sub-CA used in malware signing

Ben Laurie ben at links.org
Mon Jun 11 05:06:16 EDT 2012


On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams <nico at cryptonector.com> wrote:
> On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
>> * Marsh Ray:
>>
>>> Marc Stevens and B.M.M. de Weger (of
>>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
>>> collision in the evil CN=MS cert. I'm sure they'll have a full report
>>> at some point. Until then, they have said this:
>>
>>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix
>>>> collision attack.
>>
>> Does this mean they've seen the original certificate in addition to
>> the evil twin?
>
> The evil twin has the nasty bits[*] in the issuerUniqueID field, which
> is weird, and the ID is not one likely to be generated by any CA.
> Would the original have it??  I don't see why the TS CA would have
> issued certs with issuerUniqueIDs under any circumstances, which is
> why it's interesting the the evil twin had any evil bits.

Surely the whole point is that the collision is used to switch
<something> to issuerUniqueID in order to hide the stuff that would've
stopped the cert from working. I haven't looked, but I'm prepared to
bet it would not be hard to figure out what the original cert must
have looked like.

Has anyone got the evil cert as a binary? I could probably reconstruct
it from the bazillion dumps out there, but I can't be bothered.

>
> [*] Marsh calls these bits a "tumor".  I don't think there's a good
> analogy in biology, but for my money the analogy that comes closest is
> "prion" (misfolded proteins, which in the most well-known case beget
> more protein misfolding, which is why prions are not a perfect analog
> for these evil bits).
>
> Nico
> --
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list