Zeus malware used pilfered digital certificate
Zeus Malware Used Pilfered Digital Certificate


Zeus malware used pilfered digital certificate

from above:

The version of Zeus detected by Trend Micro had a digital certificate belonging
to Kaspersky's Zbot product, which is designed to remove Zeus. The certificate 
which is verified during a software installation to ensure a program is what it
purports to be -- was expired, however.

... snip ...

Certificate Snatching—ZeuS Copies Kaspersky’s Digital Signature


there was another scenario of certificate-copying (& dual-use vulnerability)
discussed in this group a while ago. The PKI/certificate bloated payment
specification had floated the idea that that when payment was done with their
protocol, dispute burden-of-proof would be switched & placed on the consumer
(from the current situation where burden-of-proof is on the 
this would be a hit to "REG-E" ... and also apparently what has happened in the
UK with the hardware token point-of-sale deployment).

However, supposedly for this to be active, the payment transaction needed a 
appended digital certificate that indicated they were accepting dispute
burden-of-proof. The issue was whether the merchant could reference some
public repository and replace the digital certificate appended by the
consumer ... with some other digital certificate for the same public key
(possibly digital certificate actually obtained by the consumer for that
public key at some time in the past ... or an erroneous digital certificate
produced by a sloppy Certification Authority that didn't adequately perform
check for applicant's possession of the corresponding private key).

Of course, since the heavily bloated PKI/certificate payment specification,
performed all PKI-ops at the internet boundary ... and then passed
a normal payment transaction with just a flag claiming that PKI-checking
had passed ... they might not need to even go that far. There
was already stats on payment transactions coming thru with the flag
on ... and they could prove no corresponding PKI-checking had actually
occurred. With the burden-of-proof on consumer ... the merchant might
not even have to produce evidence that the appended digital certificates
had been switched.

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to