funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sunbelt: Gromozon Malware Digitally Signed by Thawte

From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Fri, 14 Sep 2007 16:06:49 -0400
I think it only affects install time. Currently-installed copies will
continue to run.

Based on what was said in the Atsiv incident, I think there is an
internal CRL in Windows to which Microsoft could add the program, and
that would be checked at load time. They don't do this casually as it
requires a Windows Update distribution. Microsoft could also add a
Windows Defender signature for it, as they did with Atsiv.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Valdis.Kletnieks () vt edu
Sent: Friday, September 14, 2007 11:50 AM
To: Alex Eckelberry
Cc: funsec () linuxbox org
Subject: Re: [funsec] Sunbelt: Gromozon Malware Digitally Signed by
Thawte

On Wed, 12 Sep 2007 20:01:22 EDT, Alex Eckelberry said:

Fyi, Verisign just notified me that the cert has been revoked.


And does anything that looks at that certificate actually *USE* the CRL
to verify it's un-revokedness before continuing? :)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: