Certificate-stealing Trojan
Thierry Moreau
thierry.moreau at connotech.com
Tue Sep 28 10:18:52 EDT 2010
Marsh Ray wrote:
> On 09/27/2010 08:26 PM, Rose, Greg wrote:
>>
>> On 2010 Sep 24, at 12:47 , Steven Bellovin wrote:
>>
>>> Per
>>> http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml
>>>
>>> there's a new Trojan out there that looks for a steals Cert_*.p12
>>> files -- certificates with private keys. Since the private keys
>>> are password-protected, it thoughtfully installs a keystroke logger
>>> as well....
>>
>> Ah, the irony of a trojan stealing something that, because of lack of
>> PKI, is essentially useless anyway...
>
> While I agree with the sentiment on PKI, we should accept this evidence
> for what it is:
>
> There exists at least one malware author who, as of recently, did not
> have a trusted root CA key.
>
> Additionally, the Stuxnet trojan is using driver-signing certs pilfered
> from the legitimate parties the old-fashioned way. This suggests that
> even professional teams with probable state backing either lack that
> card or are saving it to play in the next round.
>
> Is it possible that the current PKI isn't always the weakest link in the
> chain? Is it too valuable of a cake to ever eat? Or does it just leave
> too many footprints behind?
>
Don't forget that the described trojan looks for an actual *client*
private key and certificates. This puts Malory in a position to
impersonate the victim comprehensively including non-crypto validity
checks (e.g. confidence gained from log of recent activity using this
certificate).
Then the question is which PKIs actually deploy client certificates.
> - Marsh
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list