Posted on 06/15/2015 8:24:50 PM PDT by dayglored
The super-sophisticated malware that infiltrated Kaspersky Labs is more crafty than first imagined.
We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, Apple, and Sony. The code-signing was uncovered by researchers at Kaspersky Lab, who are studying their Duqu 2.0 infection.
Windows trusts Foxconn-signed code because the Chinese goliath's certificate was issued by VeriSign, which is a trusted certificate root. Thus, the operating system will happily load and run the Foxconn-signed Duqu 2.0's 64-bit kernel-level driver without setting off any alarms. And that would allow the malware to get complete control over the infected machine.
Kaspersky Lab experts reckon Duqu's masterminds have been able to snatch copies of the private keys to various code-signing certificates, using a different one in each attack on an organization. The Foxconn certificate used in this instance was most likely stolen.
The Russian security firm said the Foxconn certificate leak undermines the use of digital certificates as a reliable tool for validating computer code: the whole point of them is to prove that software has not been tampered with, and was built by the vendor signing the executable.
...
As previously reported, Duqu 2.0 exploits up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency – Israel's spies are suspected. Duqu 2.0 resides solely in the computer’s memory, with no data written to disk....
(Excerpt) Read more at theregister.co.uk ...
No, wait... "Those Israelis".
Wait, what?
Geez, it’s gettin’ so’s ya can’t trust nobody these days!
.
Its not hard to defeat a lock when you have the key.
Russians know better than most that the success of any cypher program is the security of its keys.
As pointed out by the Russians. Yippee!
I've also heard that keys can be obtained very effectively with a pile of cash, and/or a rubber hose.
But NOT waterboarding.
OK, so we now know that hackers have a key that is signed by Verisign. Has that key been revoked? Folks, especially windows folks, are pretty screwed until they can get that revocation out. This is bad for Linux and OSX users as well, because I would imagine that most folks are going to trust that cert, which we now know is in malicious hands.
“Israel’s spies are suspected,” according to the commie/fascist Russians.
I’m not all that concerned, because I’ll be building my own PCs from now on. I don’t have to worry about bloatware and whoever else installing useless slow programs.
Just as important: How many of the OSes and applications out there that trust signed keys go to the extra trouble of checking the revocation list also?
I can tell you that not all of them bother with that additional step.
And for those unfortunate users, that compromised key is still as good as gold. Except of course it's not...
Yeah, well, ya know... when in doubt, blame the Jews.
And this is why I build my own computers...or purchase from an independent system integrator...
Of the four computers that are sitting next to me, two are custom builds.
/ping
That’s what I’m going to be doing from now on. I’m proud of the $600 PC I built myself.
AMD A-10 6800k, 8GB 1600 RAM, and a Gigabyte mobo with the A55 chipset, which is pretty slow. That’s the guts of it, but it’s easily able to handle gaming.
(Isn't there a loophole in the E.U.L.A. for recent versions of Windows NT, where you could downgrade to the equivalent 32-bit edition at no cost?)
From the looks of it, the root-kit is a 64-bit K-mode Windows NT driver. It could not possibly load in a 32-bit Windows NT environment.
Unfortunately, if you have massive amounts of RAM available, it becomes inaccessible, since Microsoft removed most of the features of Physical Address Extension.
In recent versions of NT, PAE is only used to gain access to the X-D processor feature—preventing the execution of data-segments as code; see D.E.P.
Full PAE support existed in Windows 2000 and .NET Server, but was removed in Windows Vista due to problems with video drivers that screwed up when >4GB of memory was available in 32-bit mode.
And they’re using Legend computers...if they use Android cel phones, they are almost certainly Motorola....Legend acquired them last year.
Fortunately, Google kept the crown jewels. (Patents and I/P)
Anyone that trusted the Chinese did so at their own peril. That applies to all business with Chinese.
News to me, but hey, welcome news if true.
> From the looks of it, the root-kit is a 64-bit K-mode Windows NT driver. It could not possibly load in a 32-bit Windows NT environment. Unfortunately, if you have massive amounts of RAM available, it becomes inaccessible, since Microsoft removed most of the features of Physical Address Extension. In recent versions of NT, PAE is only used to gain access to the X-D processor feature—preventing the execution of data-segments as code; see D.E.P.
Greater than 4GB isn't "massive", it's just about the minimum required these days for anything other than single-app office apps. Hell, you can barely fit an "About" box message in a megabyte these days.
> Full PAE support existed in Windows 2000 and .NET Server, but was removed in Windows Vista due to problems with video drivers that screwed up when >4GB of memory was available in 32-bit mode.
And Microsoft decided that allowing >4GB in a 32-bit machine would extend the product life of the 32-bit version of XP, and they wanted it gone ASAP.
Microsoft does NOTHING by accident. They screw up, but even that is deliberate (if misguided).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.