[cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found in Iran

Marsh Ray marsh at extendedsubset.com
Thu Mar 29 00:18:07 EDT 2012


On 03/28/2012 10:39 PM, Jeffrey Walton wrote:
> Hi Guys,
>
>  From "Reworked Version of Stuxnet Relative Duqu Found in Iran,"
> http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html:
>
>      Duqu's builders also changed its encryption algorithm and
>      rigged the malware loader to pose as a Microsoft driver.
>      (The old driver was signed with a stolen Microsoft certificate.)

I hadn't heard about a driver signed with a "stolen Microsoft 
certificate. I suspect it's imperfect reporting.

That article links to
http://www.symantec.com/connect/blogs/new-duqu-sample-found-wild
Which says: "Another difference is the old driver file was signed with a 
stolen certificate—and this one is not."

> Is the stolen certificate related to Diginotar or some other incident?
> Microsoft claims Diginotar issued certificates are inert
> (http://www.computerworld.com/s/article/9219729/Microsoft_Stolen_SSL_certs_can_t_be_used_to_install_malware_via_Windows_Update).

Right. The legitimate Windows Update system application won't recognize 
certs from random CAs like DigiNotar. (Code signing PKI appears good 
enough for everyone except the vendors themselves.)

But it might be possible to silently pwn MSIE users who checked the box 
"Always trust ActiveX controls from microsoft.com" and the sky's the 
limit on how you might use something like that for social engineering.

> Perhaps "Stolen encryption key the source of compromised certificate
> problem, Symantec says,"
> http://computerworld.co.nz/news.nsf/security/stolen-encryption-key-the-source-of-compromised-certificate-problem-symantec-says?

Anyone can sign up to get a code signing cert for basic driver signing, 
there is no test of purity of heart involved. Probably the only reason 
the bad guys used a stolen one is that it was easier to steal or buy a 
private key than to set up a temporary identity and pay a few hundred 
bucks for an official one.

- Marsh



More information about the cryptography mailing list