Log in

View Full Version : Singnatures signed by Verisign


zdr
April 21st, 2006, 00:56
Hey all,

I have noticed that some malware executables includes fake certificates issused by enterprices that are trusted by VeriSign.

Windows detects them as a vaild signatures.

I wonder how they could be vaild?

Leaks or is it possible to create fake signatures using VeriSign PK?

Thanks.

Silver
April 21st, 2006, 05:45
You're saying you've found malware that's been code-signed using a Verisign CA as the parent?

If that's so you should tell Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are. If they've issued a cert to someone being naughty then they'll revoke it.

Windows will of course detect them as valid certificates because Verisign is in the Windows trusted root authority store by default. Start - Run - MMC - Add Snapin - Certificates - Local Machine, then "Trusted Root Certificates" - "Certificates" folder. You'll find them there.

No, it's not possible to create "fake" code signing certs that are still trusted. That's the entire point of PKI, asymmetric encryption etc. You can of course install your own root CA, call it "Verisign" and get it to issue certs will all the same properties as the real Verisign CA's, but your certs still won't be trusted by default.

The entire PKI system in Windows works exactly the same as it does everywhere else. The only difference is that Microsoft include certs from the major issuers by default, which saves you going to Verisign, Thawte etc and installing ("trusting" their certs manually every time you reinstall Windows.

Little test, not recommended . Find a website that uses Verisign certs for SSL, then export and delete the Verisign certs from your local trusted authority store. Go back to the website and you'll be warned that you don't trust the cert being used for SSL.

Fun and interesting topic, but you've got a lot of reading ahead


*edit*, hold on, I just re-read that. I think you mean, company A legally bought a cert from Verisign then got hacked, and someone used that cert to sign their own malicious code. In which case yes, that's perfectly possible. But you should still tell the company/Verisign because it's a serious issue - the cert has been compromised and must be revoked.

Maximus
April 21st, 2006, 07:45
Quote:
[Originally Posted by Silver]Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are.

eheh, there is an interesting anf funny article at m$ where Verisign released a class 3 certificate signed to micro$oft... but it wasn't micro$oft...

Quote:
[Originally Posted by Silver]
If they've issued a cert to someone being naughty then they'll revoke it.


Also, as such article reports, Verisign certs (forgot if all, or just some) has/had problems with revoking (surely for the class 3 certs), so even if a cert is revoked you might not be aware of the fact.

Regards,
Maximus

(ps: they are the ones that tax you 500$/year for writing device drivers for any reason on Vista)

Silver
April 21st, 2006, 10:14
Quote:
eheh, there is an interesting anf funny article at m$ where Verisign released a class 3 certificate signed to micro$oft... but it wasn't micro$oft...


Yup, that was a famously bad move by Verisign, they got completely social-engineered. MS had to release a patch for it, IIRC.

Quote:
so even if a cert is revoked you might not be aware of the fact.


Certificate revocation is a very weak link in the chain. The entire thing depends on the CRL being accessible at the CDP. It's also possible to orphan certificates so that the original CA isn't valid but the issued cert appears to be. Your PKI system is only as good as the processes you have to manage it...

SiGiNT
April 21st, 2006, 10:28
I encountered the same thing, although it didn't involve malware, I was the reipient of an E-mail phishing scam - saying my Bank account had been suspended for suspicious activity, I clicked on the link and up popped a verrry authentic looking page complete with a Verisign cert link, I didn't investigate any further since I don't have an account with that bank, I did look into the authenticity of the bank, and it is a real bank located in my country but not local to my area.

SiGiNT

Polaris
April 22nd, 2006, 04:04
Although I never saw malware signed by Verisign, this is an issue that is getting more and more frequent with spyware and adware... Moreover, this is bringing down verisign's credibility a lot, so they should improve the mechanism that is prior to issuing certificates...

LLXX
April 22nd, 2006, 04:33
AFAIK certificates only prove that they are who they are, not whether they write malware or not. I've seen quite a lot of signed spyware/adware too.

Silver
April 22nd, 2006, 08:11
LLXX sure, you're absolutely right. A cert really doesn't guarantee anything about the data itself (metadata, if you like). Verisign do make good efforts to ensure only legit companies get certs. The last time I went through the purchasing process they required all sorts of legal checks to ensure I & the company I was doing it on behalf of really were who I said we were.

There's nothing to stop someone setting up a legit company, buying a Verisign cert and passing all the checks, then signing malware with it. It's not really Verisign's fault or responsibility once the cert has been issued. It would be like holding a car dealership responsible for a crime when someone legally buys a car then uses it in a robbery.

If a cert has been stolen and used to sign code then that's an entirely different revocation issue, which Verisign *are* responsible for.