Results 1 to 8 of 8

Thread: Singnatures signed by Verisign

  1. #1
    zdr
    Guest

    Singnatures signed by Verisign

    Hey all,

    I have noticed that some malware executables includes fake certificates issused by enterprices that are trusted by VeriSign.

    Windows detects them as a vaild signatures.

    I wonder how they could be vaild?

    Leaks or is it possible to create fake signatures using VeriSign PK?

    Thanks.
    Last edited by zdr; April 21st, 2006 at 00:58.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    You're saying you've found malware that's been code-signed using a Verisign CA as the parent?

    If that's so you should tell Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are. If they've issued a cert to someone being naughty then they'll revoke it.

    Windows will of course detect them as valid certificates because Verisign is in the Windows trusted root authority store by default. Start - Run - MMC - Add Snapin - Certificates - Local Machine, then "Trusted Root Certificates" - "Certificates" folder. You'll find them there.

    No, it's not possible to create "fake" code signing certs that are still trusted. That's the entire point of PKI, asymmetric encryption etc. You can of course install your own root CA, call it "Verisign" and get it to issue certs will all the same properties as the real Verisign CA's, but your certs still won't be trusted by default.

    The entire PKI system in Windows works exactly the same as it does everywhere else. The only difference is that Microsoft include certs from the major issuers by default, which saves you going to Verisign, Thawte etc and installing ("trusting") their certs manually every time you reinstall Windows.

    Little test, not recommended . Find a website that uses Verisign certs for SSL, then export and delete the Verisign certs from your local trusted authority store. Go back to the website and you'll be warned that you don't trust the cert being used for SSL.

    Fun and interesting topic, but you've got a lot of reading ahead


    *edit*, hold on, I just re-read that. I think you mean, company A legally bought a cert from Verisign then got hacked, and someone used that cert to sign their own malicious code. In which case yes, that's perfectly possible. But you should still tell the company/Verisign because it's a serious issue - the cert has been compromised and must be revoked.
    Still here...

  3. #3
    Quote Originally Posted by Silver
    Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are.
    eheh, there is an interesting anf funny article at m$ where Verisign released a class 3 certificate signed to micro$oft... but it wasn't micro$oft...

    Quote Originally Posted by Silver
    If they've issued a cert to someone being naughty then they'll revoke it.
    Also, as such article reports, Verisign certs (forgot if all, or just some) has/had problems with revoking (surely for the class 3 certs), so even if a cert is revoked you might not be aware of the fact.

    Regards,
    Maximus

    (ps: they are the ones that tax you 500$/year for writing device drivers for any reason on Vista)
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  4. #4
    eheh, there is an interesting anf funny article at m$ where Verisign released a class 3 certificate signed to micro$oft... but it wasn't micro$oft...
    Yup, that was a famously bad move by Verisign, they got completely social-engineered. MS had to release a patch for it, IIRC.

    so even if a cert is revoked you might not be aware of the fact.
    Certificate revocation is a very weak link in the chain. The entire thing depends on the CRL being accessible at the CDP. It's also possible to orphan certificates so that the original CA isn't valid but the issued cert appears to be. Your PKI system is only as good as the processes you have to manage it...
    Still here...

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I encountered the same thing, although it didn't involve malware, I was the reipient of an E-mail phishing scam - saying my Bank account had been suspended for suspicious activity, I clicked on the link and up popped a verrry authentic looking page complete with a Verisign cert link, I didn't investigate any further since I don't have an account with that bank, I did look into the authenticity of the bank, and it is a real bank located in my country but not local to my area.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Although I never saw malware signed by Verisign, this is an issue that is getting more and more frequent with spyware and adware... Moreover, this is bringing down verisign's credibility a lot, so they should improve the mechanism that is prior to issuing certificates...
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  7. #7
    AFAIK certificates only prove that they are who they are, not whether they write malware or not. I've seen quite a lot of signed spyware/adware too.

  8. #8
    LLXX sure, you're absolutely right. A cert really doesn't guarantee anything about the data itself (metadata, if you like). Verisign do make good efforts to ensure only legit companies get certs. The last time I went through the purchasing process they required all sorts of legal checks to ensure I & the company I was doing it on behalf of really were who I said we were.

    There's nothing to stop someone setting up a legit company, buying a Verisign cert and passing all the checks, then signing malware with it. It's not really Verisign's fault or responsibility once the cert has been issued. It would be like holding a car dealership responsible for a crime when someone legally buys a car then uses it in a robbery.

    If a cert has been stolen and used to sign code then that's an entirely different revocation issue, which Verisign *are* responsible for.
    Still here...

Similar Threads

  1. a question about un-signing signed java appets
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: April 20th, 2012, 02:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •