A mighty fortress is our PKI, Part II

Fri Aug 6 09:46:56 EDT 2010

Zeus malware used pilfered digital certificate
http://www.computerworld.com/s/article/9180259/Zeus_malware_used_pilfered_digital_certificate
Zeus Malware Used Pilfered Digital Certificate
http://www.pcworld.com/businesscenter/article/202720/zeus_malware_used_pilfered_digital_certificate.html

&

Zeus malware used pilfered digital certificate
http://www.networkworld.com/news/2010/080610-zeus-malware-used-pilfered-digital.html

from above:

The version of Zeus detected by Trend Micro had a digital certificate belonging
to Kaspersky's Zbot product, which is designed to remove Zeus. The certificate --
which is verified during a software installation to ensure a program is what it
purports to be -- was expired, however.

... snip ...

Certificate Snatching—ZeuS Copies Kaspersky’s Digital Signature
http://blog.trendmicro.com/certificate-snatching-zeus-copies-kasperskys-digital-signature/

...

there was another scenario of certificate-copying (& dual-use vulnerability)
discussed in this group a while ago. The PKI/certificate bloated payment
specification had floated the idea that that when payment was done with their
protocol, dispute burden-of-proof would be switched & placed on the consumer
(from the current situation where burden-of-proof is on the merchant/institution;
this would be a hit to "REG-E" ... and also apparently what has happened in the
UK with the hardware token point-of-sale deployment).

However, supposedly for this to be active, the payment transaction needed a consumer
appended digital certificate that indicated they were accepting dispute
burden-of-proof. The issue was whether the merchant could reference some
public repository and replace the digital certificate appended by the
consumer ... with some other digital certificate for the same public key
(possibly digital certificate actually obtained by the consumer for that
public key at some time in the past ... or an erroneous digital certificate
produced by a sloppy Certification Authority that didn't adequately perform
check for applicant's possession of the corresponding private key).

Of course, since the heavily bloated PKI/certificate payment specification,
performed all PKI-ops at the internet boundary ... and then passed
a normal payment transaction with just a flag claiming that PKI-checking
had passed ... they might not need to even go that far. There
was already stats on payment transactions coming thru with the flag
on ... and they could prove no corresponding PKI-checking had actually
occurred. With the burden-of-proof on consumer ... the merchant might
not even have to produce evidence that the appended digital certificates
had been switched.

-- 
virtualization experience starting Jan1968, online at home since Mar1970

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com