Posted on 06/15/2015 8:24:50 PM PDT by dayglored
The super-sophisticated malware that infiltrated Kaspersky Labs is more crafty than first imagined.
We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, Apple, and Sony. The code-signing was uncovered by researchers at Kaspersky Lab, who are studying their Duqu 2.0 infection.
Windows trusts Foxconn-signed code because the Chinese goliath's certificate was issued by VeriSign, which is a trusted certificate root. Thus, the operating system will happily load and run the Foxconn-signed Duqu 2.0's 64-bit kernel-level driver without setting off any alarms. And that would allow the malware to get complete control over the infected machine.
Kaspersky Lab experts reckon Duqu's masterminds have been able to snatch copies of the private keys to various code-signing certificates, using a different one in each attack on an organization. The Foxconn certificate used in this instance was most likely stolen.
The Russian security firm said the Foxconn certificate leak undermines the use of digital certificates as a reliable tool for validating computer code: the whole point of them is to prove that software has not been tampered with, and was built by the vendor signing the executable.
...
As previously reported, Duqu 2.0 exploits up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency – Israel's spies are suspected. Duqu 2.0 resides solely in the computer’s memory, with no data written to disk....
(Excerpt) Read more at theregister.co.uk ...
The ruskis were just po’d that they couldn’t do as well.
I didn’t get an AMD64 computer until sometime last year.
As a result, I’ve been somewhat conditioned to conserve memory...like the developers and engineers of old...though I would have never been responsible for a Y2K bug, if I travelled across time...and placed in such a situation...
Assuming facts not in evidence. No wonder they ran into problems if they are that trusting.
LOL. :-)
True story. Long ago I designed an 8-bit A-D/D-A X/Y converter interface, with X-Y joystick input, and the D-As could place a single dot on the screen of an oscilloscope CRT for a split second. That was my input and output. Using hand-assembled (pencil and paper) machine language I designed and programmed:
Chinese and Russians discover Israeli “malware”...
Hmmmm....
It’s late and I may be missing something obvious — How does this malware reside solely in memory with nothing written to the disk? How does it get into the memory on power-up if not from the disk?
The malware is in the form of a 64-bit kernel-level driver, which because it will be loaded into such a secure part of the operating system (the kernel), must be signed digitally and verified. That's what the stolen key/cert is about -- it "validates" to Windows that the malware-infected driver is okay to load.
So in that sense the malware has a persistent presence, in the loadable driver, on the machines where it loads on boot.
But the driver is loaded into special machines on boot -- gateways, routers, firewalls -- that specifically have the internet on one side and the corporate local network on the other side. This means the driver gets to see, filter, change, redirect, or block any network traffic it wants to. It also -- and this is important -- can dynamically supply the infected driver over the corporate network to any/all other machines inside.
And in that way, those machines do NOT have a persistent, disk-resident copy of the malware.
Or at least, that's the picture I get from this Kaspersky release:
https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/If you read that and get a different picture, by all means write back and correct my misapprehension. Thanks!
So you are making your own motherboards, chips, and peripherals?
Everything is made in China and they can hide what they want down at the lowest levels imaginable.
Thanks for the ping. It just keeps getting more interesting. I thought it was the Israeli’s or the US, now I’m questioning that conclusion. Maybe it’s the Chicoms, or maybe this is another clue designed to divert and confuse?
Very good, and the way to go.
At the company-level, most use Enterprise licenses, and deploy the operating system to machines rather than just use the OEM version that comes with so many boxes.
Numerous deployment tools exists, such as the free Microsoft Deployment Toolkit (MDT) or the more robust System Center Configuration Manager—which requires a license—but they make remote deployment and installation a breeze.
It’s the best way to ensure crap stays off the systems.
Good point.
It’s like the “Unknown Hacker” of old. A hacker so good, no one knows he’s there, and no system intrusion software can find him.
At some point we might just have to give up, sit back and enjoy the ride.
So let me see if I understand this...
Vendor buys EV cert from VeriSign to sign code.
Vendor’s cert is part of the trusted roots, as VeriSign always is, and anything using the vendor’s signed code is permitted to run.
Vendor’s cert is compromised (read: stolen) and used to sign malicious code.
Code is distributed and runs unabated because the cert chain is trusted.
What’s the attack vector? Is it social engineering (i.e. through email download) or is it a rootkit embedded in the OS? I’m a little fuzzy on details.
If you have an internal corporate CA, you could turn off acceptance of external code signing certificates and only trust those issued by your internal CA. It would make installation of new third-party software difficult, but it would protect your network until the CRLs and OCSPs can be updated.
bfl
I didn’t mean making my own components, I meant building a PC.
And I get exactly what I want, for quite a bit less cash. I’ll never again buy one of those premade computers again.
Thanks for the additional information. I must admit that I was a bit confused as to how the memory-resident portion of the virus was able to get there without being present on the machine's hard drive.
That's not really a surprise, especially back in March. :-) Even so (I'm not a Chrome fan), simply totaling vulnerabilities is a salesman's game, as it has little technical relevance to actual security. Vulnerabilities are generally not equally dangerous.
> IE for Win 10 preview Make up your mind: Microsoft puts a bullet in Internet Explorer after all Spartan to be default in Windows 10, IE11 to 'remain fundamentally unchanged' 48 Comments
Well yes, we've had a number of threads on Spartan/Edge since March.
But thanks for the reminders.
Gee, it couldn't be China's gubmint...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.