Malware and signed code

  • Thread starter Thread starter Bill Sanderson
  • Start date Start date
B

Bill Sanderson

(courtesy of Robear Dyer, and written by Joe Faulhaber, a name folks here
will recognize)

http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx

See the paragraph spotlighting mpcmdrun.exe.

This is pretty interesting, and highlights the importance of creating a
secure channel for updating antimalware products. Mpcmdrun is the code which
brings in updates to Windows Defender. It is also involved in Microsoft
Forefront and Microsoft Windows OneCare Live.
 
The other thought I had in reading this article is that I wonder whether
we'll see the equivalent of the "green bar" high-assurance certificates for
code signing?

The article mentions that Microsoft hasn't been able to trace validly
code-signed malware to the author, when the purpose of signing code is
intended to assure users that the code can be traced to a (presumably
legitimate) author.

It turns out there are gaps in the procedures used to issue these
certificates, as has been the case with other certificates. This probably
shouldn't come as a surprise! It also highlights the importance of being
able to check CRL's (Certificate revocation lists) which should be updated
once signed malware is detected and the relevant Certificate issuer is
notified.

(I wonder who the issuers consider qualified to declare a piece of signed
code as malware? There are a lot of snakes in this barrel...)
 
Bill said:
(courtesy of Robear Dyer, and written by Joe Faulhaber, a name folks here
will recognize)

http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx

See the paragraph spotlighting mpcmdrun.exe.

This is pretty interesting, and highlights the importance of creating a
secure channel for updating antimalware products. Mpcmdrun is the code
which brings in updates to Windows Defender. It is also involved in
Microsoft Forefront and Microsoft Windows OneCare Live.
Click to expand...

Thanks for this, Bill!
 
Back
Top