We have prepared a short FAQ about Stuxnet and the revoked stolen certificates:
1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?
Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it.
2. How many stolen certificates are we talking about?
So far, we’ve seen Stuxnet drivers signed with certificates from JMicron Technology Corp and Realtek Semiconductor Corp. Both companies seem to have offices in the Hsinchu Science and Industrial Park, which could indicate an insider job. It is also possible that the certificates were stolen using a dedicate Trojan, such as Zeus, meaning, there could be more.
3. I have a Realtek/JMicron motherboard/network card in my computer. Does it mean that I am at risk?
So far, we haven’t found anything suspicious in the Realtek/JMicron hardware drivers.
4. Now that Microsoft and Verisign revoked the Realtek/JMicron certificates, does it mean that my Realtek/JMicron drivers will stop working?
No. Due to the way certificates and signatures work, the revoking doesn’t have any effect on already signed drivers. Both companies were issued new certificates, which they can use to sign upcoming drivers.
5. Are we going to see more signed malware in the future?
Most likely, yes. There are currently tens of thousands malicious programs that have been signed – that’s a fact. For more information, I encourage everyone to view Jarno Niemelš’s excellent presentation “It's Signed, therefore it's Clean, right?“, presented earlier this year at the CARO Workshop.
JMicron is a rather well known hardware producer, I've myself owned about three or four different computers which had JMicron components inside.
The initial RT certificate was suspicious, but another stolen certificate raises interesting questions.
One possibility here is that both JMicron and Realtek got infected with a trojan such as Zeus, that steals digital certificates. Then, the cybercriminals who got the certificates, either re-sold them on the market or used them by themselves to sign the Stuxnet drivers.
To be honest, the fact that trojans were stealing digital certificates did not really seem that impressive when I have first seen this capability.
Now, coupled with the Stuxnet story, it begins to make sense.
During the weekend, the maintainers of the Unreal IRCd Server source discovered a backdoor in the publicly available kit form their mirrors. Full announcement can be found on their website, but here’s an important quote which grabbed my attention:
“It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.”
Practically, this means the trojanized software was available for download for about 8 months before it was discovered.
Yesterday I uploaded my first ever HD movie to YouTube. Once this was finished, I immediately got an email from YouTube saying “Congratulations on your first YouTube upload!” along with further hints and tips on getting the best out of it. Only a couple of hours later, I got another email, this time, saying “Hello, Have you tryed YouTube Toolbar?”
The typo in the subject line should be a good indication to anyone that this was most likely not from YouTube. Indeed, the message - which was rather poorly formatted - contained a link to a Backdoor.IRC.Zapchast variant.
Backdoor.IRC.Zapchast.i spam email
Earlier this week, a few stories appeared about Google dropping Windows inside their corporate network, in favor of MacOS and Linux. This seems to have been triggered by the famous targeted attack now known as the "Aurora" operation. Of course, this looks like a huge blow to the security image of Microsoft products, however, does it really make any sense?
First of all, Google didn't get broken into because they were running Windows. They got hacked because they used IE6, a product that is 9 years old. Google fell victim to the attack because they didn't follow the most basic security advice we recommend for our users, which is, patch and use a modern browser, like IE8 or Firefox.
Today was the opening day of the CARO 2010 Workshop, which is hosted by F-Secure in Helsinki.
Mikko Hypponen, the CRO of F-Secure opened the conference by announcing this year's theme, which is Big Numbers. With between 30,000-50,000 new malicious samples daily, this is a very hot topic in the industry.
One of the highlights of the conference was undoubtedly the keynote address by Dr Alan Solomon.
Hello from Barcelona, where me and my colleague Sergey Novikov are attending the BlackHat Conference Briefings, 2010.
This year marks an important milestone, as the conference was relocated from Amsterdam to Barcelona in order to accommodate the increasing number of delegates. Another change is the number of tracks, with three this time round compared to two last year.
The conference started with a keynote presentation from Max Kelly, CSO of Facebook:
Max provided a very interesting insight into how Facebook handles attacks. He pointed out that while vulnerabilities are important, they are at the lower end of the priorities scale; the top priority is going after the attackers themselves. Long term, this could work better than the usual game of hack and patch, but of course it requires a certain amount of resources to be invested in lawsuits and the tracking down of cybercriminals.
Another very interesting presentation came from Stephan Chenette, from Websense. Stephan presented FireShark, a new free project that can be found on the internet as of today at:
FireShark is a browser plugin which can be used to automate the process of browsing malicious websites and extracting malicious links from them in order to build visual graphs of criminal connections and to identify injection patterns. If you are interested in web injections, or researching threats such as Gumblar and Pegel, be sure to check it out.
If you want to stay in touch with what's happening here, the live Twitter feed is quite active: #BlackHatEU - enjoy!
Earlier today, Microsoft released the out-of-band (OOB) Microsoft Security Bulletin MS10-002 (rated “Critical”) to the public. The cumulative Security Update for Internet Explorer 978207 fixes a couple of serious issues which allow remote code execution through malicious HTML pages, vulnerabilities that are now known to have been used in the Google/Adobe hack.
The bulletin is available here:
To patch, just use Windows Update.
In addition to that, Microsoft created a tool which will opt-in Internet Explorer to Data Execution Prevention (DEP), if your processor has this feature and the operating system is aware of it. DEP is a wonderful technology which makes it much harder for hackers to exploit vulnerabilities such as this one. We recommend that you check it out at:
As usual, there are a few other fine alternatives to IE out there that you might want to try. I recommend Chrome (http://www.google.com/chrome), Firefox (http://www.getfirefox.com/) and Opera (http://www.opera.com/download/).