Security by asking the drunk whether he's drunk

Peter Gutmann pgut001 at
Mon Dec 22 05:38:00 EST 2008

Adam Shostack <adam at> writes:

>I'd be estatic with a frequency analysis that I could show to people.

This always happens right after you hit ^D... it turns out that Microsoft
actually has published figures for this, although it's fairly recent so I
hadn't seen it before now:

  ... approximately 135,000 validly signed malware files were reported to
  Microsoft [there were 173K files in total, but 38K were
  expired/revoked/whatever].  Of signed detected files, severity of the
  threats tended to be high or severe, with low and moderate threats
  comprising a much smaller number of files.

Going directly to the source gets you much better stats than talking to
malware researchers at conferences :-).

"High" and "severe" typically means 0day rootkit-type exploits, so that's
scary stuff, particularly since that's only malware reported to MS and not all
the malware that's out there.  Hmm, I wonder if it's just coincidence that the
malware authors only bother signing the most effective/vicious malware to
ensure a good success rate and for the less effective ones they just leave
them as is?

Another interesting figure:

  valid code signing certificates were reported on over 1.78 million distinct
  non-malicious files to the MMPC

So from Microsoft's figures it looks like roughly every tenth signed file is
active (i.e. non-revoked/expired/whatever) malware.


Peter (so what we need now is EV certs for code-signing. Yeah, that'll fix

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list