Extracting Digital Signatures from Signed Malware

Discussion in 'other anti-malware software' started by ronjor, May 11, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,752
    Location:
    Texas
    https://isc.sans.edu/diary/Extracting Digital Signatures from Signed Malware/15779
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,752
    Location:
    Texas
    https://isc.sans.edu/diary/Extracting signatures from Apple .apps/15821
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Hmm, I was going to start applying Publisher Rules in AppLocker.

    Have anybody had any issues with these fake signatures?
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Check on signed only is not 100% bulletproof. IMO with publisher check for signed and hash for unsignes executables, you can't go wrong.

    I have build my Lazy Admin setup on signed software only protection since 2010. In this time I have gotten one malware sample from a friends honeypot (who works as a malware reseacher for a bank, reverse engineering financial malware in particular). By accident I was lucky, because the ACE addition I had (deny for Everyone) on temp internet directory prevented it from running (and surviving reboot).

    As you may have seen, I have setup an auto allow Microsoft (narrowed down to OS) in user space when run as administrator using SpyShelter (and called Safe Admin :D ). This was on advice of my friend (either switch to AppLocker with publisher/hash rules or add something to your SRP defense WHEN allowing execution of Admin in userspace). I have chosen for adding something to SRP, so when you stick to publisher rules plus hashes, you should be secure (other alternative of his advice).

    Regards
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
  6. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Windows 7 is not mentioned there.
     
Loading...
Thread Status:
Not open for further replies.