The origin of the story is that a researcher (who wishes to be referred to as "yosposbithc") in an IRC channel I am in had been going through the Sony data and came across some PFX files used for code signing. With luck, he had quickly determined that the password to the file was in fact the filename itself ("spe_csc").
\Cert2\USERS\AMcMillian\Sony\Projects\The Big Picture\Certificates\spe_csc.pfx
In discovering this, we were asked, "what should I sign" by him. I initially suggested just signing 'calc.exe' since that tends to be used for demonstrating any RCE vulnerabilities. However, it was then decided that using a source from Malwr that the actual attacking malware used on Sony would be used instead.
|Screenshot from Kaspersky's recent article|
Kaspersky has since updated their article with the following:
So far, we have not encountered the signed sample in the wild. We've only seen it submitted to online malware scanning services. However, the existence of this sample demonstrated that the private key was in the public domain. At that point we knew we had an extremely serious situation at hand, regardless of who was responsible for signing this malware.
Reports indicate the "researcher" reached out to the certificate authorities to get the certificate revoked after submitting the malware online. The certificate would have been revoked without the creation of new malware. There really was no need to create new malware to prove that the certificate hadn't been revoked yet.What is said here is true. Having myself previously worked at an anti-virus vendor, I can safely say that Kaspersky more than likely got the sample from VirusTotal as that was the case for when I still worked in their industry.
|The certificate was revoked on December 7|
However, Kaspersky erroneously reported that the certificate had yet to be revoked at the time of their writing. This was not the case as the researcher had reached out to DigiCert shortly afterwards and it was revoked on the weekend.
There is not much more to this story other than that. I do not have a copy of the certificate myself as I have chosen to not touch the Sony data. The unsigned malware itself is available from the Malwr link I previously supplied and copies of the signed malware are floating about now.