Zeus malware used pilfered digital certificate http://www.computerworld.com/s/article/9180259/Zeus_malware_used_pilfered_digital_certificate Zeus Malware Used Pilfered Digital Certificate http://www.pcworld.com/businesscenter/article/202720/zeus_malware_used_pilfered_digital_certificate.html
& Zeus malware used pilfered digital certificate http://www.networkworld.com/news/2010/080610-zeus-malware-used-pilfered-digital.html from above: The version of Zeus detected by Trend Micro had a digital certificate belonging to Kaspersky's Zbot product, which is designed to remove Zeus. The certificate -- which is verified during a software installation to ensure a program is what it purports to be -- was expired, however. ... snip ... Certificate Snatching—ZeuS Copies Kaspersky’s Digital Signature http://blog.trendmicro.com/certificate-snatching-zeus-copies-kasperskys-digital-signature/ ... there was another scenario of certificate-copying (& dual-use vulnerability) discussed in this group a while ago. The PKI/certificate bloated payment specification had floated the idea that that when payment was done with their protocol, dispute burden-of-proof would be switched & placed on the consumer (from the current situation where burden-of-proof is on the merchant/institution; this would be a hit to "REG-E" ... and also apparently what has happened in the UK with the hardware token point-of-sale deployment). However, supposedly for this to be active, the payment transaction needed a consumer appended digital certificate that indicated they were accepting dispute burden-of-proof. The issue was whether the merchant could reference some public repository and replace the digital certificate appended by the consumer ... with some other digital certificate for the same public key (possibly digital certificate actually obtained by the consumer for that public key at some time in the past ... or an erroneous digital certificate produced by a sloppy Certification Authority that didn't adequately perform check for applicant's possession of the corresponding private key). Of course, since the heavily bloated PKI/certificate payment specification, performed all PKI-ops at the internet boundary ... and then passed a normal payment transaction with just a flag claiming that PKI-checking had passed ... they might not need to even go that far. There was already stats on payment transactions coming thru with the flag on ... and they could prove no corresponding PKI-checking had actually occurred. With the burden-of-proof on consumer ... the merchant might not even have to produce evidence that the appended digital certificates had been switched. -- virtualization experience starting Jan1968, online at home since Mar1970 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com