back to article Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Security researchers have warned that someone's obtained copies of code-signing certificates from two Taiwanese companies – and is using them to sign malware. Abusing code-signing certificates in this way is an attempt to present software nasties as the legitimate product of the vendor whose key signed it. Security vendor …

  1. Pascal Monett Silver badge

    "copies of code-signing certificates"

    I wonder how that could happen. I'm thinking insiders got them out and sold them off in each case. Or maybe a targeted phishing expedition got lucky.

    In either case, big fail on certificate security on the part of the companies involved. Given we don't hear of this too often, I guess once in a while is somewhat unavoidable.

  2. Nick Kew Silver badge

    Re: "copies of code-signing certificates"

    That's why we have revocations, and need to check for them before trusting a source!

  3. GnuTzu Bronze badge

    Re: "copies of code-signing certificates"

    Well, seems a rhetorical question, but getting private keys either means they were hacked into or they spilled them--unless you want to believe someone managed to factor the primes.

    Either way, I have to wonder what the black-market value for these things is.

  4. Michael Wojcik Silver badge

    Re: "copies of code-signing certificates"

    Everyone who has the software has a copy of the certificate. It's the private keys that were leaked, not the certs. (This is of course a common mistake, but it'd be nice if knowledgeable folk like Richard and Drew avoided it.)

    Given we don't hear of this too often, I guess once in a while is somewhat unavoidable.

    It happens pretty frequently; it's just under-reported. There's a brisk market for code-signing keys (for illegitimate use).

    This is one reason why the CSRG recommended vendors require EV certificates for signing. In particular, the key-hygiene requirements of EV certificates, where they were actually observed by the CAs and key owners, would reduce key leakage. But there was tremendous industry pushback because EV certificates have all sorts of problems - not least those hygiene requirements, which become quite expensive for all but very small organizations.

  5. Michael Wojcik Silver badge

    Re: "copies of code-signing certificates"

    That's why we have revocations, and need to check for them before trusting a source!

    Revocation is a fucking disaster. At best it offers a very partial mitigation for some use cases.

    The simple fact is that the public X.509 PKI is broken.

  6. Trigonoceps occipitalis

    someone managed to factor the primes

    Easy, the prime and one.

  7. Michael Wojcik Silver badge

    Re: someone managed to factor the primes

    Yeah, this one's a shibboleth too.

    (At least the certificates are in fact RSA, so there's a product of large primes to be factored. The original comment would have made even less sense if they were ECC certs. Oh, well.)

    In any case, no one's going through the trouble of factoring a decent-sized RSA key for this, when you can buy leaked keys, or a private-key and certificate pair issued erroneously by a CA, for a reasonable price. And you can - see the link in my post above.

    Many organizations have very poor code-signing-key hygiene. They have the keys sitting on build machines. They commit them to code repositories (sometimes on public servers like GitHub). They email them around the organization. Attackers who get into the corporate network have a decent chance of finding them, and they're easy to exfiltrate and sell.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018