It could use something like bdfproxy[1] to intercept HTTP-downloaded EXE files, then add some persistent malware in _addition_ to whatever the EXE was doing. This has been done before, over Tor[2].
The malware doesn't have to add a new root certificate, either, though that's completely possible. The Zeus trojan [3] does "man-in-the-browser" to intercept banking information, for example.
so the spoofer distributing these devices is going to all this trouble/expense/risk in the hope there is a http downloaded exe it can corrupt, then hopes the hashing doesn't fail on that corrupt exe, and hopes the user ignores the untrusted source warning so that it can install a trojan?
I think what he means is that it seems like a lot of trouble to hack someone who is not necessarily hackworthy? Like what kind of things would you expect to gain from someone who would be as computer illiterate as to allow all that to come to fruition?
I work on a software company. You would be amazed to know how many manager types, earning 6 figures, who are absolutely naive with regards to security. Those are prime targets for this kind of exploit.
These are the same users who connected an untrusted block of hardware directly to their router and presumably gave them a their Facebook login and password.