[cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found in Iran
marsh at extendedsubset.com
Thu Mar 29 00:18:07 EDT 2012
On 03/28/2012 10:39 PM, Jeffrey Walton wrote:
> Hi Guys,
> From "Reworked Version of Stuxnet Relative Duqu Found in Iran,"
> Duqu's builders also changed its encryption algorithm and
> rigged the malware loader to pose as a Microsoft driver.
> (The old driver was signed with a stolen Microsoft certificate.)
I hadn't heard about a driver signed with a "stolen Microsoft
certificate. I suspect it's imperfect reporting.
That article links to
Which says: "Another difference is the old driver file was signed with a
stolen certificate—and this one is not."
> Is the stolen certificate related to Diginotar or some other incident?
> Microsoft claims Diginotar issued certificates are inert
Right. The legitimate Windows Update system application won't recognize
certs from random CAs like DigiNotar. (Code signing PKI appears good
enough for everyone except the vendors themselves.)
But it might be possible to silently pwn MSIE users who checked the box
"Always trust ActiveX controls from microsoft.com" and the sky's the
limit on how you might use something like that for social engineering.
> Perhaps "Stolen encryption key the source of compromised certificate
> problem, Symantec says,"
Anyone can sign up to get a code signing cert for basic driver signing,
there is no test of purity of heart involved. Probably the only reason
the bad guys used a stolen one is that it was easier to steal or buy a
private key than to set up a temporary identity and pay a few hundred
bucks for an official one.
More information about the cryptography