[140909] in cryptography@c2.net mail archive
Re: Security by asking the drunk whether he's drunk
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Tue Dec 23 14:29:29 2008
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: adam@homeport.org, cryptography@metzdowd.com
Date: Mon, 22 Dec 2008 23:38:00 +1300
Adam Shostack <adam@homeport.org> writes:
>I'd be estatic with a frequency analysis that I could show to people.
This always happens right after you hit ^D... it turns out that Microsoft
actually has published figures for this, although it's fairly recent so I
hadn't seen it before now:
http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx
... approximately 135,000 validly signed malware files were reported to
Microsoft [there were 173K files in total, but 38K were
expired/revoked/whatever]. Of signed detected files, severity of the
threats tended to be high or severe, with low and moderate threats
comprising a much smaller number of files.
Going directly to the source gets you much better stats than talking to
malware researchers at conferences :-).
"High" and "severe" typically means 0day rootkit-type exploits, so that's
scary stuff, particularly since that's only malware reported to MS and not all
the malware that's out there. Hmm, I wonder if it's just coincidence that the
malware authors only bother signing the most effective/vicious malware to
ensure a good success rate and for the less effective ones they just leave
them as is?
Another interesting figure:
valid code signing certificates were reported on over 1.78 million distinct
non-malicious files to the MMPC
So from Microsoft's figures it looks like roughly every tenth signed file is
active (i.e. non-revoked/expired/whatever) malware.
Ouch!
Peter (so what we need now is EV certs for code-signing. Yeah, that'll fix
it).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
