Marsh Ray <[email protected]> writes: >On 06/22/2011 09:40 AM, Steven Bellovin wrote: >> http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html >> >> Not surprising to most readers of this list, I suspect... > >The interesting thing is that code signing schemes have been around for >decades but 2010 is the first time malware even bothered to steal signing >keys. :-)
Just to split hairs, malware has stolen signing keys for years, but it's only in the last few years that malware vendors have started using them. It's also been evolving for awhile, see Jarno Niemelä's blog at F-Secure for more on this, or his summary "It.s Signed, therefore it.s Clean, right?" from last year's CARO workshop. >What happens if the bad guy just strips the signature? [...] See Jarno's talk on some of the techniques that the bad guys have used over time. >MSIE displays the name to the user when prompting to run ActiveX controls. Yup, names like "Trusted program" and "Click OK to continue" and "Approved by Microsft" and the like. In the 1980s people used to create zip files with names like "CON:" in them for a joke, two decades later the same types of trick still work just fine. Peter.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
