[cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found in Iran

Marsh Ray marsh at extendedsubset.com
Wed Mar 28 21:18:07 PDT 2012


On 03/28/2012 10:39 PM, Jeffrey Walton wrote:
> Hi Guys,
>
>  From "Reworked Version of Stuxnet Relative Duqu Found in Iran,"
> http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html:
>
>      Duqu's builders also changed its encryption algorithm and
>      rigged the malware loader to pose as a Microsoft driver.
>      (The old driver was signed with a stolen Microsoft certificate.)

I hadn't heard about a driver signed with a "stolen Microsoft certificate. 
I suspect it's imperfect reporting.

That article links to
http://www.symantec.com/connect/blogs/new-duqu-sample-found-wild
Which says: "Another difference is the old driver file was signed with a  
stolen certificateband this one is not."

> Is the stolen certificate related to Diginotar or some other incident?
> Microsoft claims Diginotar issued certificates are inert
> (http://www.computerworld.com/s/article/9219729/Microsoft_Stolen_SSL_certs_can_t_be_used_to_install_malware_via_Windows_Update).

Right. The legitimate Windows Update system application won't recognize  
certs from random CAs like DigiNotar. (Code signing PKI appears good  
enough for everyone except the vendors themselves.)

But it might be possible to silently pwn MSIE users who checked the box  
"Always trust ActiveX controls from microsoft.com" and the sky's the limit 
on how you might use something like that for social engineering.

> Perhaps "Stolen encryption key the source of compromised certificate
> problem, Symantec says,"
> http://computerworld.co.nz/news.nsf/security/stolen-encryption-key-the-source-of-compromised-certificate-problem-symantec-says?

Anyone can sign up to get a code signing cert for basic driver signing,  
there is no test of purity of heart involved. Probably the only reason the 
bad guys used a stolen one is that it was easier to steal or buy a private 
key than to set up a temporary identity and pay a few hundred bucks for an 
official one.

- Marsh
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list