Monday, July 19, 2010

PKI in the news - revoking certificate associated with malware

VeriSign (working with Microsoft) is revoking the public key certificate associated with the signing key used (subsequently?) to sign some drivers that were part of a malware distribution.  Here is a summary article: http://threatpost.com/en_us/blogs/verisign-revokes-certificate-used-sign-stuxnet-malware-071710, thanks to the high-quality site Threatpost.

The article also describes innovations in the malware loading mechanism, which are of less interest to me.   I look forward to an article with more technical details that can address PKI-related question like:

If the certificate expired in June, why is it still necessary to revoke it?  (Kind of an academic question - many applications don't check revocation status, much less expiry dates.)  but, for the record.

How did the malware distributor access the private signing key used to sign the driver?  It would be very interesting to know how the driver-signing trust chin was broken.

I've worked with PKI in the past, with several companies and in a few consulting engagements.   PKI is always interesting, technically challenging, and prone, unfortunately, to failures of differing types due to its underlying complexity.   Can't live with it, and can't live without it.   (And can't shoot it.)

No comments: