From marsh@extendedsubset.com Fri Jul 6 02:37:07 2018 From: Marsh Ray To: cypherpunks-legacy@lists.cpunks.org Subject: Re: [cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found in Iran Date: Fri, 06 Jul 2018 02:37:07 +0000 Message-ID: <172289097083.3849117.6431701823300239036.generated@mail.pglaf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8507537918000379675==" --===============8507537918000379675== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 03/28/2012 10:39 PM, Jeffrey Walton wrote: > Hi Guys, > > From "Reworked Version of Stuxnet Relative Duqu Found in Iran," > http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html: > > Duqu's builders also changed its encryption algorithm and > rigged the malware loader to pose as a Microsoft driver. > (The old driver was signed with a stolen Microsoft certificate.) I hadn't heard about a driver signed with a "stolen Microsoft certificate.=20 I suspect it's imperfect reporting. That article links to http://www.symantec.com/connect/blogs/new-duqu-sample-found-wild Which says: "Another difference is the old driver file was signed with a =20 stolen certificateb=14and this one is not." > Is the stolen certificate related to Diginotar or some other incident? > Microsoft claims Diginotar issued certificates are inert > (http://www.computerworld.com/s/article/9219729/Microsoft_Stolen_SSL_certs_= can_t_be_used_to_install_malware_via_Windows_Update). Right. The legitimate Windows Update system application won't recognize =20 certs from random CAs like DigiNotar. (Code signing PKI appears good =20 enough for everyone except the vendors themselves.) But it might be possible to silently pwn MSIE users who checked the box =20 "Always trust ActiveX controls from microsoft.com" and the sky's the limit=20 on how you might use something like that for social engineering. > Perhaps "Stolen encryption key the source of compromised certificate > problem, Symantec says," > http://computerworld.co.nz/news.nsf/security/stolen-encryption-key-the-sour= ce-of-compromised-certificate-problem-symantec-says? Anyone can sign up to get a code signing cert for basic driver signing, =20 there is no test of purity of heart involved. Probably the only reason the=20 bad guys used a stolen one is that it was easier to steal or buy a private=20 key than to set up a temporary identity and pay a few hundred bucks for an=20 official one. - Marsh _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --===============8507537918000379675==--