Marsh Ray <[email protected]> writes: >On 11/27/2011 09:57 PM, Peter Gutmann wrote: >> Unfortunately this doesn't explain how they go the 1024-bit and >> longer keys that were also used in the attack. > >Is that true? I haven't seen this reported. Link?
Off-list :-). Oh, wait a minute, there's at least an indirect reference on a public page at http://www.f-secure.com/weblog/archives/00002269.html: The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esupplychain.com.tw. Those were again 512-bit certs though, in fact the Fox-IT article is rather confusing in this regard, it lists the following: * lfxsys.lfx.com.my (Digicert Sdn. Bhd.) * webmail.jaring.my (Digicert Sdn. Bhd.) * mcrs2.digicert.com.my (Digicert Sdn. Bhd.) * ad-idmapp.cityofbristol.ac.uk (Cybertrust) * stfmail.ccn.ac.uk (Cybertrust) * skillsforge.londonmet.ac.uk (Cybertrust) * agreement.syniverse.com (GlobalSign Inc) * www.esupplychain.com.tw (TAIWAN-CA.COM Inc.) * ahi.anthem.com (Anthem Inc) as "certificates we found to be used in the wild recently" (presumably as part of the attack), but only three of the nine are from Digicert. Since Digicert was cross-certified by a key formerly belonging to GTE Cybertrust I could see the "Cybertrust" listed above as possibly being more DigiCert (but why would the UK government be buying certs from them?), but if that list is of 512-bit certs then it also means that GlobalSign (major public CA), as well as two others, Taiwan-CA (lesser-known public CA... hey, were you aware that your browser implicitly trusts these guys?) and Anthem (unknown, presumably one of the vast number of sub-CAs that no-one knows exist), were also issuing 512-bit certs used to sign malware. I wonder when we'll see Cybertrust and GlobalSign and Taiwan-CA get their CA certs pulled? The Fox-IT article then goes on to say "we can find two certificates in there which we know that have been abused"... what happened to the nine certs above? >Possibly this is built on some assumptions, but its seems to be the simplest >explanation for the data. I.e., how many ways are there for an attacker with >the goal of stealing certs to use in an attack and end up getting caught with >nine 512 bit ones? I agree that that makes it a bit unlikely, although "hosted in the same data centre/vhosted on the same server" would be one easy explanation (the Jaring webmail and Digicert servers are on the same AS, indicating they're potentially in the same data centre, but then the other one isn't). There's also the Fox-IT comment for one of the certs, "why would the attackers go through great lengths of factoring the RSA key and using it to sign their executables, if it did not pass verification?". Having said that, if the above is indeed accurate (and that depends on how you interpret the info in the Fox-IT article), that a number of different CAs all issued 512-bit certs and they were all compromised, then it does look like they were obtained by factorisation. It's quite an illogical attack vector though, given how easy it is to get full-strength dedicated code-signing certs the standard way... I think I'll contact the Fox-IT person who wrote the article for clarification, it's kinda hard to figure out who was responsible for which compromised certs and which ones were actually used in the attack. I'll post any info I get back here. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
