Possible code signing certificate issue?
Posted: 20 Oct 2022 11:55
Hello.
I've come across this file https://github.com/ditekshen/detection/ ... _certs.yar which contains yara rules to detect bad known certificates.
If you look inside you can find:
rule INDICATOR_KB_CERT_0407abb64e9990180789eacb81f5f914 {
meta:
author = "ditekSHen"
description = "Detects executables signed with stolen, revoked or invalid certificates"
thumbprint = "bcb40c7d23c9db41766c780b5388fb70f3d570bf"
hash = "f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b"
condition:
uint16(0) == 0x5a4d and
for any i in (0..pe.number_of_signatures): (
pe.signatures.subject contains "VideoLAN" and
pe.signatures.serial == "04:07
b6:4e:99:90:18:07:89:ea:cb:81:f5:f9:14"
)
}
Since this certificate is still used by VideoLAN for code signing do we have to worry about the certificate being stolen?
Thank you!
I've come across this file https://github.com/ditekshen/detection/ ... _certs.yar which contains yara rules to detect bad known certificates.
If you look inside you can find:
rule INDICATOR_KB_CERT_0407abb64e9990180789eacb81f5f914 {
meta:
author = "ditekSHen"
description = "Detects executables signed with stolen, revoked or invalid certificates"
thumbprint = "bcb40c7d23c9db41766c780b5388fb70f3d570bf"
hash = "f1fdac82e4e4da91ba2a9d8122a5f27e11a8342308b18376b189d2cc7468557b"
condition:
uint16(0) == 0x5a4d and
for any i in (0..pe.number_of_signatures): (
pe.signatures.subject contains "VideoLAN" and
pe.signatures.serial == "04:07
b6:4e:99:90:18:07:89:ea:cb:81:f5:f9:14")
}
Since this certificate is still used by VideoLAN for code signing do we have to worry about the certificate being stolen?
Thank you!