this post was submitted on 26 Jul 2024
68 points (100.0% liked)
Sysadmin
5589 readers
1 users here now
A community dedicated to the profession of IT Systems Administration
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
As much "doom and gloom" as the article pushes, I kinda feel that the compromised keys being well known makes detection easier. The malicious binary needs to be signed with one of these keys, this means that there will be very specific structures (e.g. the public key) at well known locations in the file. This is exactly the type of threat which anti-virus is good at detecting. Assuming a network's security folks aren't completely asleep at the switch, these attacks should get picked up and blocked pretty fast.
There is a reason attackers spend so much time and effort obfuscating code and keeping files off the disk. While A/V may be a pretty terrible security control and easily bypassed in many cases, watching for files with well known patterns is one of the few things A/V tends to do well.