Jump to content

Microsoft System Certificate Roots Modified by FireHack.exe


zerohearne

Recommended Posts

Last night I notice that Microsoft System Certificates Roots (which I highlight on the screenshot attached below)  were modified by a program called "Firehack" (a premium multi-hack for retail World of Warcraft).  Firehack.exe is only supposed to access and modify WoW-64.exe in memory; makes no sense for Firehack.exe to be modifying Microsoft System Certificates like \SmartCardRoot -- \AuthRoot -- \Root 'or HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\Schannel.
---------------------------------------------------------------------------------------------
Do programs usually access Microsoft System Certificates like \SmartCardRoot -- \AuthRoot -- \Root  or is this unusual behavior? I have sensitive information on my system, I'm worried that this could compromise the integrity of my system's decryption certificates sense its certificate directories have been modified.

I though this program was safe to run because my friend uses it and make me install to play with him so I "Allowed" all of the Host Intrution Prevention warnings with out reading me (I know bad move) but after looking at my entry logs for Defense+ the modification to the certificate directory scared me.

As of now FireHack.exe has no internet access and all its permissions have been revoked and no significant data transfers 6/kb in 1kb out over the duration of its existence on my system.

Link to post
Share on other sites

Certificates are stored in what is called the Certificate Store.  There are "Personal", "Other People", "Trusted" and "Intermediate" as well as "Untrusted".

 

They are not stored in the Registry.  Certificates are stored in the User Profiles.  They are accessible by using Internet Explorer...

Tools --> Internet Options --> Content --> Certificates

 

There is what is called a Certificate Chain. That is there will be a Trusted Root Certificate, and Intermediate Certificate and the Certificate assigned to a Person, Program or web site.

 

Programs do in fact access the store quite regularly.  It may be because you are using HTTPS and SSL to access a web site.  It may be because a Program issued by Adobe or some other legitimate source will have a Publishers Certificate.  The OS has to check the validity of a Certificate by Accessing a Certificate Revocation List ( CRL ) and make sure the Certificate trust chain is in tact.  This is done via the The Online Certificate Status Protocol (OCSP) and Windows Vista and above rely heavily upon it.

 

References:

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

https://en.wikipedia.org/wiki/Certificate_server

https://en.wikipedia.org/wiki/Public_key_infrastructure

https://en.wikipedia.org/wiki/Extended_Validation_Certificate

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.