Hey all,

I have noticed that some malware executables includes fake certificates issused by enterprices that are trusted by VeriSign.

Windows detects them as a vaild signatures.

I wonder how they could be vaild?

Leaks or is it possible to create fake signatures using VeriSign PK?

Thanks.

You're saying you've found malware that's been code-signed using a Verisign CA as the parent?

If that's so you should tell Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are. If they've issued a cert to someone being naughty then they'll revoke it.

Windows will of course detect them as valid certificates because Verisign is in the Windows trusted root authority store by default. Start - Run - MMC - Add Snapin - Certificates - Local Machine, then "Trusted Root Certificates" - "Certificates" folder. You'll find them there.

No, it's not possible to create "fake" code signing certs that are still trusted. That's the entire point of PKI, asymmetric encryption etc. You can of course install your own root CA, call it "Verisign" and get it to issue certs will all the same properties as the real Verisign CA's, but your certs still won't be trusted by default.

The entire PKI system in Windows works exactly the same as it does everywhere else. The only difference is that Microsoft include certs from the major issuers by default, which saves you going to Verisign, Thawte etc and installing ("trusting" their certs manually every time you reinstall Windows.

Little test, not recommended . Find a website that uses Verisign certs for SSL, then export and delete the Verisign certs from your local trusted authority store. Go back to the website and you'll be warned that you don't trust the cert being used for SSL.

Fun and interesting topic, but you've got a lot of reading ahead


*edit*, hold on, I just re-read that. I think you mean, company A legally bought a cert from Verisign then got hacked, and someone used that cert to sign their own malicious code. In which case yes, that's perfectly possible. But you should still tell the company/Verisign because it's a serious issue - the cert has been compromised and must be revoked.

eheh, there is an interesting anf funny article at m$ where Verisign released a class 3 certificate signed to micro$oft... but it wasn't micro$oft...



Also, as such article reports, Verisign certs (forgot if all, or just some) has/had problems with revoking (surely for the class 3 certs), so even if a cert is revoked you might not be aware of the fact.

Regards,
Maximus

(ps: they are the ones that tax you 500$/year for writing device drivers for any reason on Vista)

Yup, that was a famously bad move by Verisign, they got completely social-engineered. MS had to release a patch for it, IIRC.



Certificate revocation is a very weak link in the chain. The entire thing depends on the CRL being accessible at the CDP. It's also possible to orphan certificates so that the original CA isn't valid but the issued cert appears to be. Your PKI system is only as good as the processes you have to manage it...

I encountered the same thing, although it didn't involve malware, I was the reipient of an E-mail phishing scam - saying my Bank account had been suspended for suspicious activity, I clicked on the link and up popped a verrry authentic looking page complete with a Verisign cert link, I didn't investigate any further since I don't have an account with that bank, I did look into the authenticity of the bank, and it is a real bank located in my country but not local to my area.

SiGiNT

Although I never saw malware signed by Verisign, this is an issue that is getting more and more frequent with spyware and adware... Moreover, this is bringing down verisign's credibility a lot, so they should improve the mechanism that is prior to issuing certificates...

AFAIK certificates only prove that they are who they are, not whether they write malware or not. I've seen quite a lot of signed spyware/adware too.

LLXX sure, you're absolutely right. A cert really doesn't guarantee anything about the data itself (metadata, if you like). Verisign do make good efforts to ensure only legit companies get certs. The last time I went through the purchasing process they required all sorts of legal checks to ensure I & the company I was doing it on behalf of really were who I said we were.

There's nothing to stop someone setting up a legit company, buying a Verisign cert and passing all the checks, then signing malware with it. It's not really Verisign's fault or responsibility once the cert has been issued. It would be like holding a car dealership responsible for a crime when someone legally buys a car then uses it in a robbery.

If a cert has been stolen and used to sign code then that's an entirely different revocation issue, which Verisign *are* responsible for.