This past year or so has been a rough one for certificate authorities. From the attacks on DigiNotar and Comodo to malware such as Stuxnet and Zeus that used signed digital certificates in their assaults on vulnerable systems.
Now, we can add one more piece of malware to the list. Duqu, which security researchers are saying shares heavy similarities with Stuxnet, is signed with a key belonging to a company in Taipei called C-Media Electronics. The company is in the same business district in Taiwan as the companies whose keys were used by Stuxnet, Dave Marcus, director of security research and communications for McAfee Labs, said today during McAfee’s Focus 2011 conference.
The certificate, which was revoked Oct. 14, was set to expire Aug. 2, 2012. There seems to be some disagreement between McAfee and Symantec as to whether the key was stolen or generated by the attackers, with McAfee contending the latter. Regardless, the end result was the same – malware was installed on a system.
“Why would you want to sign a piece of malware with a valid key – because it avoids detection by AV (antivirus) technologies,” he said.
“You are undermining the entire CA system when you are creating rogue keys…This now the third or fourth time in my recent memory we’ve seen rogue CAs,” he said. “We’re starting to see more and more.”
Much remains unknown about Duqu, though it seems to have been written to gather intelligence from entities such as industrial control system manufacturers for use in future attacks against other organizations. For this reason, along with the fact that roughly 50 percent of Duqu’s code is identical to Stuxnet’s code, Duqu represents a precursor to a Stuxnet-like attack, Vikram Thakur, Principle Security Response Manager at Symantec, told SecurityWeek.
Still, the malware lacks Stuxnet’s worm functionality, and it does not target industrial control systems. Instead, Duqu was used to install another infostealer that records keystrokes and other information, according to Symantec. Based on compile times, the attacks using the variants of Duqu the company analyzed could have been conducted as early as December 2010.
So far, the evidence shows it is focused on just a handful of organizations, Thakur said.
“At this time, we know at least one of these entities in a Europe-based industrial control systems manufacturer,” he said, adding that current analysis shows Duqu affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista and Windows XP.
“It is apparent to us that the authors of Duqu had access to the Stuxnet source code, not just Stuxnet binaries,” Thakur said. “This means it is possible that Duqu was created by the same attackers that created Stuxnet. Though the original creators of Stuxnet are not known, the fact (is) that it was obviously very sophisticated and well-funded and is likely to be beyond the capability of most hacking groups. If Duqu was created by the same authors of Stuxnet, it is likely the work of either a well-funded private or government entity.”