Tuesday, July 20, 2010

Another Signed Stuxnet Binary

Via F-Secure -

There's a couple of new developments in the Stuxnet rootkit case. Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation.


This particular certificate is valid until July 25, 2012.

While there are some modifications, initial analysis indicates that this new driver is very similar to the first set of Stuxnet samples we've seen, with the same basic functions and approach.

A hat tip to Pierre-Marc Bureau at ESET, he notes that JMicron and Realtek Semiconductor Corp both have offices in Hsinchu Science Park, Taiwan. Realtek is the source of the previously used certificate which has now been revoked by VeriSign.

We've speculated internally that Realtek's Authenticode leak could have resulted from Aurora style attacks which targeted source code management systems, but now, with the physical proximity of these two companies, we wonder if some physical penetration was also involved.

Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system's hardcoded password. The concern is that adjusting the password will create damaging conflicts.



On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp". This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp. It is interesting to note that both companies whose code signing certificates were used have offices in Hsinchu Science Park, Taiwan.



Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response.


If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

No comments:

Post a Comment