back to article Dirtbags dressed up malware as legit app using Sony crypto-certs

Miscreants were quick to capitalize on the theft of Sony's cryptographic certificates – used to sign a software nasty to make it look legit. An analysis of malware dubbed Destover was published by Kaspersky Lab on Tuesday, and shows the code was signed using a private certificate belonging to Sony to evade malware filters. …

  1. cantankerous swineherd

    this assumes your software / os checks for revoked certificates?

    1. diodesign (Written by Reg staff) Silver badge

      Re: cantankerous swineherd

      Yes. It can take 24 hours for the OS to notice a cert has been added to a revocation list. See the link in the article.

      C.

    2. Wzrd1 Silver badge

      "this assumes your software / os checks for revoked certificates?"

      Or is connected to the net when the malware is run. Windows can't check a CRL server if it's offline.

      1. Michael Wojcik Silver badge

        Or is connected to the net when the malware is run.

        When Windows updates its copy of the relevant CRL, you mean. CRL updates aren't necessarily done at time-of-use.

        Now, had you been talking about OCSP...

        Of course, the broader point remains. The commercial X.509 PKI system is wildly broken, and revocation is one of the areas in which it's especially wildly broken. Neither CRLs nor OCSP work very well. The mechanisms are fragile, many of the failure modes are unsafe and silent, the incentives are perverse, and most users have not a fucking clue how the whole horrible mess is supposed to work (and why should they?).

  2. David Roberts

    This used to be a tick box option in IE IIRC. Is it automatic now?

    1. Michael Wojcik Silver badge

      IE settings

      This used to be a tick box option in IE IIRC.

      You've neatly identified a number of the problems with a typical X.509 PKI implementation:

      - IE had multiple checkbox options for PKI, buried in the "advanced settings" where few dared to tread. Some were for CRLs; some were for OCSP. How many people knew what they all meant, and knew how in practice they were likely to interact with real-world threats? Almost none.

      - IE settings are per-user, so to use them to improve organizational security, you have to enforce them with group policies or the like. How many system administrators get around to doing that - assuming they understand the problem in the first place?

      - IE PKI settings don't control what Windows does with code-signing certificates, so they wouldn't have helped with this attack anyway.

      Putting a GUI on top of end-user PKI configuration does not significantly improve security.

  3. petur

    Android

    Not sure if they are also able to generate signed malware for Android? Not that I kept any of the Sony bloat on my Z3 compact - all disabled and updates blocked

    1. Wzrd1 Silver badge

      Re: Android

      "Not sure if they are also able to generate signed malware for Android? Not that I kept any of the Sony bloat on my Z3 compact - all disabled and updates blocked"

      Leaving vulnerabilities in place, awaiting compromise.

      1. Michael Wojcik Silver badge

        Re: Android

        It's tough to compromise software that never runs.

  4. Robert Helpmann??
    Joke

    Who benefits?

    This whole affair is an attempt to divert attention away from the Snowden revelations. Blame the NSA!

    1. Wzrd1 Silver badge

      Re: Who benefits?

      "This whole affair is an attempt to divert attention away from the Snowden revelations. Blame the NSA!"

      Because, village idiots can only pay attention to one thing per day.

      Meanwhile, those with an IQ above that of a bowl of jello can track multiple items of interest.

  5. Anonymous Coward
    Anonymous Coward

    Funny

    Publicly known key used to sign malware evades AVs, nothing new for a broken industry fueled by lies and false sense of security.

    1. Florida1920
      Happy

      Re: Funny

      There may be an upside. The general public may be more motivated to Be Careful Out There. Some of them even may be too afraid to go online. It's all good.

  6. ecofeco Silver badge
    Trollface

    Sony

    The derp is strong with this one.

    1. Michael Wojcik Silver badge

      Re: Sony

      That's a tempting response. But multiple successful attacks like this over the years have shown that the X.509 PKI simply does not work in practice.

      People who control the signing keys for well-known CA roots and intermediaries cannot be trusted to keep those keys under their control and only sign legitimate requests. End users who use (often unwittingly) certificates to authenticate input do not enforce good certificate hygiene - which is not surprising, since it's 1) barely understood, 2) generally infeasible (as it requires incessant vigilance), and 3) sometimes outright impossible.

      Sony may be the foolish-looking victim of the week, but there have been many before them, and there will be many after them.

      Public X.509 PKI is broken and cannot be fixed. The best you can do is decide whether your threat model accommodates it - whether you can say, "we have nothing of sufficient value to make it worth the attacker's cost to break our PKI using any of the many vulnerabilities in the public PKI hierarchy". If the answer to that is "no", you'd better roll your own, and lock it down tightly. (And that's going to be expensive if it's done right.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like