Extracting Digital Signatures from Signed Malware

Discussion in 'other anti-malware software' started by ronjor, May 11, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    59,861
    Location:
    Texas
    https://isc.sans.edu/diary/Extracting Digital Signatures from Signed Malware/15779
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    59,861
    Location:
    Texas
    https://isc.sans.edu/diary/Extracting signatures from Apple .apps/15821
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,965
    Hmm, I was going to start applying Publisher Rules in AppLocker.

    Have anybody had any issues with these fake signatures?
     
  4. Check on signed only is not 100% bulletproof. IMO with publisher check for signed and hash for unsignes executables, you can't go wrong.

    I have build my Lazy Admin setup on signed software only protection since 2010. In this time I have gotten one malware sample from a friends honeypot (who works as a malware reseacher for a bank, reverse engineering financial malware in particular). By accident I was lucky, because the ACE addition I had (deny for Everyone) on temp internet directory prevented it from running (and surviving reboot).

    As you may have seen, I have setup an auto allow Microsoft (narrowed down to OS) in user space when run as administrator using SpyShelter (and called Safe Admin :D ). This was on advice of my friend (either switch to AppLocker with publisher/hash rules or add something to your SRP defense WHEN allowing execution of Admin in userspace). I have chosen for adding something to SRP, so when you stick to publisher rules plus hashes, you should be secure (other alternative of his advice).

    Regards
     
  5. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,965
    Windows 7 is not mentioned there.
     
Loading...
Thread Status:
Not open for further replies.