One of the more interesting aspects of the Flame malware was the MD5 collision attack that was used to infect new machines through Windows Update. MD5 collisions are not new, but this is the first attack discovered in the wild and deserves a more in-depth look. Trail of Bits is uniquely qualified to perform this analysis, because our co-founder Alex Sotirov was one of the members in the academic collaboration that first demonstrated the practicality of this class of attacks in 2008. Our preliminary findings were presented on June 9th at the SummerCon conference in New York and are available online or as a PDF download.
Great slides! Although hard to understand
Presumably Microsoft should be able to look up the serial number and validity in their logs of Terminal Services LS certificates issued, to find out where the request came from.
Pingback: 技术揭秘:为什么伪造 SHA-1 证书比找 SHA-1哈希碰撞难 | 神刀安全网