- Jan 7, 2011
- 1,362
Languy99 already did a test of BufferZone Free.
It is an interesting test since one piece of malware got through. Although the file had low detection and some AV-s detected it using heuristics so we can't say with absolute certainty that it is malware, anyway it is a suspicious file.
It is steal unclear to me if it escaped the sandbox or it was run by the executable that was digitally signed. You should know that with default settings BufferZone allows digitally signed files to run outsite the protected zone. This might not be a safe thing to do (see bellow).
About digitally signed files:
A digital signature was never meant to differentiate between good software or malware. The only purpose of a digital signature is (similar to a signature on a piece of paper) to prove that a certain file was created by the person/company that digitally signed it.
Here's how this works: A Certificate authority (like Verisign or even Comodo) releases a certificate to a person/company but only after verifying that the person/company exists has a real address..etc. Using this certificate a person/company can digitally sign files. When you open the file Windows reads the signature and verifies if the certificate is still valid. (hence the verified publisher)
Example:
From the picture above (from the video) we can only conclude that the executable that installs a program named Windows Safe Search was created by the company named U.S&Corea.
In his video, languy states that certificates often get stolen. IMO, this is not true. A couple of certificates got stollen in the case of stuxnet, but as we all know that is a "special" piece of malware targeted at Iranian organizations and Kaspersky Labs (among others) concluded that the sophisticated attack could only have been conducted "with nation-state support". (Wikipedia). So (until now) this rarely happens and when something like this is discovered the certificates get revoked and the signature can't be verified anymore.
This is what really happens (quite often):
1. Everyone can create & use a self-signed certificate to digitally sign a file. Even more they can write whatever they want as the publisher (it can be Microsoft or any other known company). But this file will never have a Verified Publisher. Pay attention to the color and the text from UAC prompts. Blue means verified, everything else is not trusted.
2. The real problem: Some Certificate authorities grant certificates without a proper evaluation so you'll see digitally signed files by unknown companies that are malicious.
Conclusion: So again, just like in the case of a piece of paper signed by John Doe, you only trust the file if it is signed by a verified publisher that you heard about and actually trust. Since I haven't head about U.S&Corea, I would not run the file.
See Languy99's channel on Youtube.
It is an interesting test since one piece of malware got through. Although the file had low detection and some AV-s detected it using heuristics so we can't say with absolute certainty that it is malware, anyway it is a suspicious file.
It is steal unclear to me if it escaped the sandbox or it was run by the executable that was digitally signed. You should know that with default settings BufferZone allows digitally signed files to run outsite the protected zone. This might not be a safe thing to do (see bellow).
About digitally signed files:
A digital signature was never meant to differentiate between good software or malware. The only purpose of a digital signature is (similar to a signature on a piece of paper) to prove that a certain file was created by the person/company that digitally signed it.
Here's how this works: A Certificate authority (like Verisign or even Comodo) releases a certificate to a person/company but only after verifying that the person/company exists has a real address..etc. Using this certificate a person/company can digitally sign files. When you open the file Windows reads the signature and verifies if the certificate is still valid. (hence the verified publisher)
Example:
From the picture above (from the video) we can only conclude that the executable that installs a program named Windows Safe Search was created by the company named U.S&Corea.
In his video, languy states that certificates often get stolen. IMO, this is not true. A couple of certificates got stollen in the case of stuxnet, but as we all know that is a "special" piece of malware targeted at Iranian organizations and Kaspersky Labs (among others) concluded that the sophisticated attack could only have been conducted "with nation-state support". (Wikipedia). So (until now) this rarely happens and when something like this is discovered the certificates get revoked and the signature can't be verified anymore.
This is what really happens (quite often):
1. Everyone can create & use a self-signed certificate to digitally sign a file. Even more they can write whatever they want as the publisher (it can be Microsoft or any other known company). But this file will never have a Verified Publisher. Pay attention to the color and the text from UAC prompts. Blue means verified, everything else is not trusted.
2. The real problem: Some Certificate authorities grant certificates without a proper evaluation so you'll see digitally signed files by unknown companies that are malicious.
Conclusion: So again, just like in the case of a piece of paper signed by John Doe, you only trust the file if it is signed by a verified publisher that you heard about and actually trust. Since I haven't head about U.S&Corea, I would not run the file.
See Languy99's channel on Youtube.
Last edited by a moderator:
