Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Duqu 2.0 malware buried into Windows PCs using stolen Foxconn certs (Signed by Chinese factory)
The Register ^ | June 15, 2015 | John Leyden

Posted on 06/15/2015 8:24:50 PM PDT by dayglored

The super-sophisticated malware that infiltrated Kaspersky Labs is more crafty than first imagined.

We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, Apple, and Sony. The code-signing was uncovered by researchers at Kaspersky Lab, who are studying their Duqu 2.0 infection.

Windows trusts Foxconn-signed code because the Chinese goliath's certificate was issued by VeriSign, which is a trusted certificate root. Thus, the operating system will happily load and run the Foxconn-signed Duqu 2.0's 64-bit kernel-level driver without setting off any alarms. And that would allow the malware to get complete control over the infected machine.

Kaspersky Lab experts reckon Duqu's masterminds have been able to snatch copies of the private keys to various code-signing certificates, using a different one in each attack on an organization. The Foxconn certificate used in this instance was most likely stolen.

The Russian security firm said the Foxconn certificate leak undermines the use of digital certificates as a reliable tool for validating computer code: the whole point of them is to prove that software has not been tampered with, and was built by the vendor signing the executable.

...

As previously reported, Duqu 2.0 exploits up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency – Israel's spies are suspected. Duqu 2.0 resides solely in the computer’s memory, with no data written to disk....

(Excerpt) Read more at theregister.co.uk ...


TOPICS: Business/Economy; Computers/Internet; Hobbies
KEYWORDS: 201506; amazon; apple; blackberry; china; computers; computing; dell; duqu; duqu2; duqu20; foxconn; google; hacker; internet; israel; joooooooooooooooooos; kaspersky; kasperskylabs; malware; microsoft; russia; sony; tech; verisign; virus; windows; windowspinglist
Navigation: use the links below to view more comments.
first previous 1-2021-4041-44 next last
To: Lurkina.n.Learnin

The ruskis were just po’d that they couldn’t do as well.


21 posted on 06/15/2015 9:54:40 PM PDT by X-spurt (CRUZ missile - armed and ready.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: dayglored

I didn’t get an AMD64 computer until sometime last year.

As a result, I’ve been somewhat conditioned to conserve memory...like the developers and engineers of old...though I would have never been responsible for a Y2K bug, if I travelled across time...and placed in such a situation...


22 posted on 06/15/2015 9:59:33 PM PDT by __rvx86 (Ted Cruz: Strike two.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: dayglored
The Foxconn certificate used in this instance was most likely stolen.

Assuming facts not in evidence. No wonder they ran into problems if they are that trusting.

23 posted on 06/15/2015 10:23:21 PM PDT by PAR35
[ Post Reply | Private Reply | To 1 | View Replies]

To: __rvx86
> ...I’ve been somewhat conditioned to conserve memory...like the developers and engineers of old...

LOL. :-)

True story. Long ago I designed an 8-bit A-D/D-A X/Y converter interface, with X-Y joystick input, and the D-As could place a single dot on the screen of an oscilloscope CRT for a split second. That was my input and output. Using hand-assembled (pencil and paper) machine language I designed and programmed:

I didn't have any choice. You see, my entire RAM was 1KB. This was on a homebrew 6502 1MHz computer, in 1976.
24 posted on 06/15/2015 10:24:49 PM PDT by dayglored (Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: dayglored

Chinese and Russians discover Israeli “malware”...

Hmmmm....


25 posted on 06/15/2015 11:06:42 PM PDT by Thunder90 (All posts soley represent my own opinion.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

It’s late and I may be missing something obvious — How does this malware reside solely in memory with nothing written to the disk? How does it get into the memory on power-up if not from the disk?


26 posted on 06/15/2015 11:22:48 PM PDT by Bob (No, being a US Senator and the Secretary of State are not accomplishments; they're jobs.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bob
> How does this malware reside solely in memory with nothing written to the disk? How does it get into the memory on power-up if not from the disk?

The malware is in the form of a 64-bit kernel-level driver, which because it will be loaded into such a secure part of the operating system (the kernel), must be signed digitally and verified. That's what the stolen key/cert is about -- it "validates" to Windows that the malware-infected driver is okay to load.

So in that sense the malware has a persistent presence, in the loadable driver, on the machines where it loads on boot.

But the driver is loaded into special machines on boot -- gateways, routers, firewalls -- that specifically have the internet on one side and the corporate local network on the other side. This means the driver gets to see, filter, change, redirect, or block any network traffic it wants to. It also -- and this is important -- can dynamically supply the infected driver over the corporate network to any/all other machines inside.

And in that way, those machines do NOT have a persistent, disk-resident copy of the malware.

Or at least, that's the picture I get from this Kaspersky release:

https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/
If you read that and get a different picture, by all means write back and correct my misapprehension. Thanks!
27 posted on 06/16/2015 12:57:01 AM PDT by dayglored (Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: wastedyears

So you are making your own motherboards, chips, and peripherals?
Everything is made in China and they can hide what they want down at the lowest levels imaginable.


28 posted on 06/16/2015 2:12:06 AM PDT by The Free Engineer
[ Post Reply | Private Reply | To 11 | View Replies]

To: dayglored

Thanks for the ping. It just keeps getting more interesting. I thought it was the Israeli’s or the US, now I’m questioning that conclusion. Maybe it’s the Chicoms, or maybe this is another clue designed to divert and confuse?


29 posted on 06/16/2015 2:27:10 AM PDT by Woodman
[ Post Reply | Private Reply | To 27 | View Replies]

To: wastedyears

Very good, and the way to go.

At the company-level, most use Enterprise licenses, and deploy the operating system to machines rather than just use the OEM version that comes with so many boxes.

Numerous deployment tools exists, such as the free Microsoft Deployment Toolkit (MDT) or the more robust System Center Configuration Manager—which requires a license—but they make remote deployment and installation a breeze.

It’s the best way to ensure crap stays off the systems.


30 posted on 06/16/2015 3:15:38 AM PDT by Alas Babylon! (As we say in the Air Force, "You know you're over the target when you start getting flak!")
[ Post Reply | Private Reply | To 11 | View Replies]

To: The Free Engineer

Good point.

It’s like the “Unknown Hacker” of old. A hacker so good, no one knows he’s there, and no system intrusion software can find him.

At some point we might just have to give up, sit back and enjoy the ride.


31 posted on 06/16/2015 3:24:57 AM PDT by Alas Babylon! (As we say in the Air Force, "You know you're over the target when you start getting flak!")
[ Post Reply | Private Reply | To 28 | View Replies]

To: dayglored

So let me see if I understand this...

Vendor buys EV cert from VeriSign to sign code.
Vendor’s cert is part of the trusted roots, as VeriSign always is, and anything using the vendor’s signed code is permitted to run.
Vendor’s cert is compromised (read: stolen) and used to sign malicious code.
Code is distributed and runs unabated because the cert chain is trusted.

What’s the attack vector? Is it social engineering (i.e. through email download) or is it a rootkit embedded in the OS? I’m a little fuzzy on details.


32 posted on 06/16/2015 4:18:45 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

If you have an internal corporate CA, you could turn off acceptance of external code signing certificates and only trust those issued by your internal CA. It would make installation of new third-party software difficult, but it would protect your network until the CRLs and OCSPs can be updated.


33 posted on 06/16/2015 4:21:10 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Excellence

bfl


34 posted on 06/16/2015 4:33:28 AM PDT by Excellence (Marine mom since April 11, 2014)
[ Post Reply | Private Reply | To 27 | View Replies]

To: dayglored
Chrome trumps all comers in reported vulnerabilities

IE for Win 10 preview Make up your mind: Microsoft puts a bullet in Internet Explorer after all Spartan to be default in Windows 10, IE11 to 'remain fundamentally unchanged' 48 Comments

35 posted on 06/16/2015 5:19:23 AM PDT by daniel1212 (Come to the Lord Jesus as a contrite damned+destitute sinner, trust Him to save you, then live 4 Him)
[ Post Reply | Private Reply | To 1 | View Replies]

To: The Free Engineer

I didn’t mean making my own components, I meant building a PC.


36 posted on 06/16/2015 9:19:04 AM PDT by wastedyears (Knights of Sidonia)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Alas Babylon!

And I get exactly what I want, for quite a bit less cash. I’ll never again buy one of those premade computers again.


37 posted on 06/16/2015 9:46:18 AM PDT by wastedyears (Knights of Sidonia)
[ Post Reply | Private Reply | To 30 | View Replies]

To: dayglored
And in that way, those machines do NOT have a persistent, disk-resident copy of the malware.

Thanks for the additional information. I must admit that I was a bit confused as to how the memory-resident portion of the virus was able to get there without being present on the machine's hard drive.

38 posted on 06/16/2015 3:31:48 PM PDT by Bob (No, being a US Senator and the Secretary of State are not accomplishments; they're jobs.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: daniel1212
> Chrome trumps all comers in reported vulnerabilities

That's not really a surprise, especially back in March. :-) Even so (I'm not a Chrome fan), simply totaling vulnerabilities is a salesman's game, as it has little technical relevance to actual security. Vulnerabilities are generally not equally dangerous.

> IE for Win 10 preview Make up your mind: Microsoft puts a bullet in Internet Explorer after all Spartan to be default in Windows 10, IE11 to 'remain fundamentally unchanged' 48 Comments

Well yes, we've had a number of threads on Spartan/Edge since March.

But thanks for the reminders.

39 posted on 06/16/2015 8:05:59 PM PDT by dayglored (Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: dayglored; AdmSmith; AnonymousConservative; Arthur Wildfire! March; Berosus; Bockscar; cardinal4; ..
Gee, it couldn't be China's gubmint...

40 posted on 02/28/2021 12:00:57 AM PST by SunkenCiv (Imagine an imaginary menagerie manager imagining managing an imaginary menagerie.)
[ Post Reply | Private Reply | To 13 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-44 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson