<[email protected]> writes: >One would assume that the effort to get such a signing certificate would >persuade the bad team to use that cert for targeted attacks, not broadcast >ones, in which case you would be damned lucky to find it in a place where you >could then encapsulate it in a signature-based protection scheme.
My post was based on data gathered by a well-known anti-malware company, I'm just reporting what they found in real-world use. In any case getting signing certs really isn't hard at all. I once managed it in under a minute (knowing which Google search term to enter to find caches of Zeus stolen keys helps :-). That's as an outsider, if you're working inside the malware ecosystem you'd probably get them in bulk from whoever's dealing in them (single botnets have been reported with thousands of stolen keys and certs in their data stores, so it's not like the bad guys are going to run out of them in a hurry). Unlike credit cards and bank accounts and whatnot we don't have price figures for stolen certs, but I suspect it's not that much. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
