Don’t know if someone already posted but interesting article on Ars Technica from ACM Conference, research paper about Digitally signed malware. Second list also has list of compromised code signing certificates from that research paper.
This is disconcerting but not a threat to Default Deny from what I have seen. From the AV aspect maybe yes, but not from the core security of CIS. The chance of one of these signatures being on the Trusted Vendors list is very improbable. I have a definite sample and one I believe to be fraudulent. Both have validity with Windows and signature lookup via dllhost, but when I try to add the same files to the Trusted Vendors list in CIS via a read from a signed executable it will not recognize them as valid signatures.
Default Deny is still solid. If you get infected with CIS (depending on configuration) it’s because YOU trusted something.
Thanks for posting HaryHr. Been following this for awhile, but I had no idea it was so widespread. No AV vendor should disregard or trust a file based on a signature. Gives a new meaning to Trojan Horse.