[snorkel]

The attack vector would be malware binary crafted to have the same MD5 sig as a popular already trusted app. But of course once the badware is caught virus scanners could check other properties aside from MD5 sig to flag a bad binary. I assume virus scanners use MD5 just a fast prescreen scan, then do a few deeper checks on pototentially bad binaries to make sure.

[ryan-c]

What you describe there would be a preimage attack[0], not a collision attack. There is no publicly known practical[1] preimage attack on MD5 at this time.

0. http://en.wikipedia.org/wiki/Preimage_attack

1. 2^123.4 complexity is not practical

[taumhn]

If I understand correctly, what's described in the article indeed uses a collision attack. The "trusted app" is one the hacker manufactures himself.

[ryan-c]

Yes, that was what the article says, but the person I was responding to misunderstood.