Security by asking the drunk whether he's drunk
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Dec 22 05:38:00 EST 2008
Adam Shostack <adam at homeport.org> writes:
>I'd be estatic with a frequency analysis that I could show to people.
This always happens right after you hit ^D... it turns out that Microsoft
actually has published figures for this, although it's fairly recent so I
hadn't seen it before now:
http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx
... approximately 135,000 validly signed malware files were reported to
Microsoft [there were 173K files in total, but 38K were
expired/revoked/whatever]. Of signed detected files, severity of the
threats tended to be high or severe, with low and moderate threats
comprising a much smaller number of files.
Going directly to the source gets you much better stats than talking to
malware researchers at conferences :-).
"High" and "severe" typically means 0day rootkit-type exploits, so that's
scary stuff, particularly since that's only malware reported to MS and not all
the malware that's out there. Hmm, I wonder if it's just coincidence that the
malware authors only bother signing the most effective/vicious malware to
ensure a good success rate and for the less effective ones they just leave
them as is?
Another interesting figure:
valid code signing certificates were reported on over 1.78 million distinct
non-malicious files to the MMPC
So from Microsoft's figures it looks like roughly every tenth signed file is
active (i.e. non-revoked/expired/whatever) malware.
Ouch!
Peter (so what we need now is EV certs for code-signing. Yeah, that'll fix
it).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list