Malware targeting GnuPG/PGP Keyrings

Robert J. Hansen rjh at
Thu Sep 25 17:09:46 CEST 2008

Maarten Van Horenbeeck of the SANS Internet Storm Center delivered a
fascinating presentation at this year's SANSFire.  "Is Troy Burning? An
overview of targeted trojan attacks."  (It was a few months ago, but I
just now got a copy of the slides.)

According to Van Horenbeeck, we are now seeing trojans in the wild which
are searching for PGP keyrings, intercepting passphrases, and sending
the whole mess off elsewhere.  The particular one he used in his
presentation was flagged as malware by:

Sophos 4.27
VirusBuster 4.3.26

... Everything else -- AVG, ClamAV, F-Prot, F-Secure, McAfee, Panda,
Symantec, etc. -- gave it a clean bill of health.  (This doesn't
surprise me very much; generally speaking, antivirus software is wildly
overestimated in its ability to keep you safe.)

At present, it does not seem to target GnuPG keyrings.  It seems like
such an obvious and trivial extension, though, that it would be prudent
to assume it already exists.

Please do not panic.  This is not a "the world is on fire!" post.  It's
been common knowledge for years that these sorts of attacks were
possible and it was a matter of time until we saw real-world examples.
All I'm saying is that we're now at that time.

More information about the Gnupg-users mailing list