[prev in list] [next in list] [prev in thread] [next in thread]
List: cypherpunks
Subject: Re: [cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found?in Iran
From: Eugen Leitl <eugen () leitl ! org>
Date: 2012-03-29 15:50:51
Message-ID: 20120329155051.GH14482 () leitl ! org
[Download RAW message or body]
----- Forwarded message from Marsh Ray <marsh@extendedsubset.com> -----
From: Marsh Ray <marsh@extendedsubset.com>
Date: Wed, 28 Mar 2012 23:18:07 -0500
To: noloader@gmail.com
Cc: Discussion of cryptography and related <cryptography@randombit.net>
Subject: Re: [cryptography] [OT] Reworked Version of Stuxnet Relative Duqu
Found in Iran
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
On 03/28/2012 10:39 PM, Jeffrey Walton wrote:
> Hi Guys,
>
> From "Reworked Version of Stuxnet Relative Duqu Found in Iran,"
> http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html:
>
> Duqu's builders also changed its encryption algorithm and
> rigged the malware loader to pose as a Microsoft driver.
> (The old driver was signed with a stolen Microsoft certificate.)
I hadn't heard about a driver signed with a "stolen Microsoft certificate.
I suspect it's imperfect reporting.
That article links to
http://www.symantec.com/connect/blogs/new-duqu-sample-found-wild
Which says: "Another difference is the old driver file was signed with a
stolen certificateb�and this one is not."
> Is the stolen certificate related to Diginotar or some other incident?
> Microsoft claims Diginotar issued certificates are inert
> (http://www.computerworld.com/s/article/9219729/Microsoft_Stolen_SSL_certs_can_t_be_used_to_install_malware_via_Windows_Update).
>
Right. The legitimate Windows Update system application won't recognize
certs from random CAs like DigiNotar. (Code signing PKI appears good
enough for everyone except the vendors themselves.)
But it might be possible to silently pwn MSIE users who checked the box
"Always trust ActiveX controls from microsoft.com" and the sky's the limit
on how you might use something like that for social engineering.
> Perhaps "Stolen encryption key the source of compromised certificate
> problem, Symantec says,"
> http://computerworld.co.nz/news.nsf/security/stolen-encryption-key-the-source-of-compromised-certificate-problem-symantec-says?
>
Anyone can sign up to get a code signing cert for basic driver signing,
there is no test of purity of heart involved. Probably the only reason the
bad guys used a stolen one is that it was easier to steal or buy a private
key than to set up a temporary identity and pay a few hundred bucks for an
official one.
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic