The digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers fro the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.
Stuxnet's infection method takes advantage of a previously unknown vulnerability in most of the current versions of Windows, including Windows Vista, Windows 7, both 32- and 64-bit versions, and Windows Server 2008. The vulnerability in the Windows shell is what enables the malware to execute via the .lnk files. Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.
Stuxnet is an odd case. It is spread via infected USB thumb drives, which contain the rootkit code, along with two drivers that researchers say are used to hide the existence of the malware both on the USB drive and on the PC, once it's infected. The drivers are signed using a valid digital certificate owned by Realtek, a Taiwanese hardware manufacturer, and Stuxnet uses .lnk shortcut files to launch as soon as the USB drive is opened on a PC.
Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.
Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?