Adam Shostack <[email protected]> writes: >I'd be estatic with a frequency analysis that I could show to people.
This always happens right after you hit ^D... it turns out that Microsoft actually has published figures for this, although it's fairly recent so I hadn't seen it before now: http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx ... approximately 135,000 validly signed malware files were reported to Microsoft [there were 173K files in total, but 38K were expired/revoked/whatever]. Of signed detected files, severity of the threats tended to be high or severe, with low and moderate threats comprising a much smaller number of files. Going directly to the source gets you much better stats than talking to malware researchers at conferences :-). "High" and "severe" typically means 0day rootkit-type exploits, so that's scary stuff, particularly since that's only malware reported to MS and not all the malware that's out there. Hmm, I wonder if it's just coincidence that the malware authors only bother signing the most effective/vicious malware to ensure a good success rate and for the less effective ones they just leave them as is? Another interesting figure: valid code signing certificates were reported on over 1.78 million distinct non-malicious files to the MMPC So from Microsoft's figures it looks like roughly every tenth signed file is active (i.e. non-revoked/expired/whatever) malware. Ouch! Peter (so what we need now is EV certs for code-signing. Yeah, that'll fix it). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
