Hold on to Your Keys!

There have been a few recent incidents of what we previously thought was extremely rare — malware authors using code signing certificates that were issued to companies with good reputations.

The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies. More recently, it appears a U.S. credit union lost its private key to malware authors who used it to sign some variants of Trojan:Win32/Tapaoux.A as well.


Microsoft has also published a guide: Code-Signing Best Practices:




Comments (0)

Skip to main content