|
|
|
|
|
|
by lqdc13
3692 days ago
|
|
|
I have a bunch of samples right now that fake signatures. Here's one example:
https://virustotal.com/en/file/fe8fa4daa404ebb3bd6df4c20650a... All of them are self-extracting installers (happen to be 7zip/Nullsoft). That successfully fake sigs. Nullsoft is the most popular packer/extractor out there. Sure, there are ways of creating an installer with authenticode that cannot be faked, but much easier to just hash it and not worry about the terrible tech that is authenticode. Edit: That's a fake Firefox installer with authenticode that checks out according to the spec. As you can see, this is not some weird edge case. |
|
|
I'm not 100% sure why some people thought it was a malicious file, but the comments on Virustotal mention [1] which, for me, redirects to the legitimate [2] but a comment seems to link it with [3] which is a completely different file. Perhaps the redirection is randomized so people got confused?
[1] hxxp://files.dodo-number-1.pw/p/MCLkP8Dzc3nUWJrG9fwGLA,1442015273/zte%20mf631%20firmware%20downlo_10924_i57945825_il345.exe (replace hxxp with http)
[2] https://download-installer.cdn.mozilla.net/pub/firefox/relea...
[3] https://www.virustotal.com/es/file/e6821e86a9d3fb693b32077e6...