Didier Stevens

Friday 14 September 2012

New Authenticode Tools

Filed under: Announcement,Encryption,Forensics — Didier Stevens @ 14:43

I’ve worked on a couple of new tools to analyze the digital signature found in PE files. In this post, I’m sharing some invalid signatures I found on my machines.

This signature is invalid because the certificate expired:

Normally, the fact that it expired shouldn’t cause the signature to become invalid, but here it does because the author forgot to countersign the signature with a timestamping service:

I also found several files where the root certificate used in the signatures uses a signature algorithm based on the MD2 hash:

And last a signature with a revoked certificate:

Remember Realtek Semiconductor? Their private key was compromised and used to sign Stuxnet components.

1 Comment »

  1. [...] You probably know by now that Adobe will revoke a compromised code signing certificate in a couple of days. As we seem to have more code signing related security incidents recently, I started to develop a couple of new tools. [...]

    Pingback by Searching For That Adobe Cert « Didier Stevens — Monday 1 October 2012 @ 19:29


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: