ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Researcher generates executable MD5 collisions with Authenticode signed binary

By | January 17, 2009, 9:55am PST

Summary: We have heard quite a bit recently about the dangers of using MD5, a now-broken cryptographic hash routine, for determining the validity of SSL certificates. Today we see that a researcher has taken a major step in generating malicious software whose signature matches that of an Authenticode-signed binary. Researcher Didier Stevens has shown that the [...]

We have heard quite a bit recently about the dangers of using MD5, a now-broken cryptographic hash routine, for determining the validity of SSL certificates. Today we see that a researcher has taken a major step in generating malicious software whose signature matches that of an Authenticode-signed binary.

Researcher Didier Stevens has shown that the technique described by Peter Selinger for generating pairs of executables with the same MD5 hash can be used to
generate pairs of executables which are also signed using Microsoft’s Authenticode program. This technique would allow a malicious individual to create a driver that has been validated as correct and signed by Microsoft but is actually malicious.

Much like the SSL issue, the scope of the problem is limited as the default mechanism for Authenticode signing is actually SHA-1 and not MD5. Nevertheless, the developments in hash collision generation is particularly disturbing when it comes to executables. I am concerned that at some point, an individual will be able to generate hash collisions in between malware and popular legitimate software, allowing them to evade signature-based anti-virus systems and have the software validate against binary whitelisting services.

That would officially be a “bad day.”

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Researcher, Authenticode, Adam O'Donnell

Adam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000.

Disclosure

Adam O'Donnell

Adam J. O’Donnell currently works for Cloudmark, a messaging security company whose clients include the majority of the Tier 1 customer-facing service providers as well as mobile carriers and social networks. He serves on the advisory committee for the SOURCE Security Conference, as well as several conference technical program committees. Many of his close friends work in the security industry, and he will disclose those relationships as he deems it necessary.

Biography

Adam O'Donnell

Adam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000. He currently is the Director of Emerging Technologies at Cloudmark, a messaging security company located in San Francisco.

Adam early on mastered the art of writing in complete sentences, using both hands and one foot. Later, he learned to do so with each individually. After fourteen years of apprenticeship in the mist-covered hills of central Nepal, Dr. O'Donnell emerged an unparalleled digital warrior and in desperate need of a anti-fungal wash.

Approaching both life and enterprise security with the verve of a particular capuchin, he is respected the world over as an observer of all he sees. Adam's dry blade of analysis will sever the hard candy shell surrounding most technical security concepts, and significantly goo-ify the remaining so as to be consumable in small bites with sufficiently large servings of digestive aids. Just what the doctor ordered.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
1
Comments
Add Your Opinion

Join the conversation!

0 Votes
+ -
RE: Researcher generates executable MD5 collisions with Authenticode signed binary
birumut Updated - 4th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix