Moreover, the results indicate that the UAC does not verify revocation online but only via the system local storage which is updated by a user manually. We focus on the determination of the certificate’s origin, prevalence, and a quick analysis of the top 10 software signed with these certificates.Ĭontrary to what often has been assumed, Windows loads a driver signed with a revoked certificate. The second goal is a statistical analysis of certificates that sign the DirtyMoe driver because the certificates are also used to sign other malicious software. Similarly, we will be also interested in the code signature verification of user-mode applications since the user account control (UAC) does not block the application execution even if this one is also signed with a revoked certificate. Therefore, one of the goals is to analyze how Windows works with a code signature of Windows drivers. The DirtyMoe malware uses a driver signed with a revoked certificate that can be seamlessly loaded into the Windows kernel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |