[paulfr]

Can you give me pointers about authenticode flaws? After a quick search the two issues I found were with MD5 collisions (solution: the signer should never emit MD5 certificates) and certificate padding (solution: the user should set a registry key to enable verification of padding; search for "EnableCertPaddingCheck").

[lqdc13]

Here's a good pres: https://recon.cx/2012/schedule/attachments/54_Signed_executa...

[paulfr]

Their conclusion is simply that "the major part has been fixed" in MS12-024, and that you should be careful if you write a self-extracting installer. No big deal.

[lqdc13]

I have a bunch of samples right now that fake signatures.

Here's one example: https://virustotal.com/en/file/fe8fa4daa404ebb3bd6df4c20650a...

All of them are self-extracting installers (happen to be 7zip/Nullsoft). That successfully fake sigs. Nullsoft is the most popular packer/extractor out there.

Sure, there are ways of creating an installer with authenticode that cannot be faked, but much easier to just hash it and not worry about the terrible tech that is authenticode.

Edit: That's a fake Firefox installer with authenticode that checks out according to the spec. As you can see, this is not some weird edge case.

[paulfr]

The SHA256 of that file is exactly that of Firefox Setup Stub 35.0.1 (Win32), so of course Authenticode checks out.

I'm not 100% sure why some people thought it was a malicious file, but the comments on Virustotal mention [1] which, for me, redirects to the legitimate [2] but a comment seems to link it with [3] which is a completely different file. Perhaps the redirection is randomized so people got confused?

[1] hxxp://files.dodo-number-1.pw/p/MCLkP8Dzc3nUWJrG9fwGLA,1442015273/zte%20mf631%20firmware%20downlo_10924_i57945825_il345.exe (replace hxxp with http)

[2] https://download-installer.cdn.mozilla.net/pub/firefox/relea...

[3] https://www.virustotal.com/es/file/e6821e86a9d3fb693b32077e6...