Stuxnet Saga Evolves With New Digitally Signed Binaries

The Stuxnet saga is continuing to take new and troubling turns. Researchers now have found a new binary file associated with the Stuxnet malware that is signed using the digital certificate of another Taiwanese hardware manufacturer, JMicron Technology Corp.

This new revelation adds another layer of complexity to a story that's already as complicated as they come. Researchers at Eset on Monday said that they had discovered a new file associated with Stuxnet that is signed using JMicron's digital certificate. This comes about a week after experts discovered that the original version of Stuxnet, which exploits the recently publicized .lnk shortcut vulnerability in the Windows shell, had a pair of drivers signed by Realtek Semiconductor. Microsoft has acknowledged the new .lnk vulnerability and said it is investigating the problem.

The new twist in the Stuxnet story opens up another set of possibilities for how the attackers are getting their hands on the digital certificates. Getting access to one certificate could be difficult, but there's any number of ways it could have happened: a lone rogue employee who stole it and sold it; a targeted attack against the company; a man-in-the-middle attack, etc. But the fact that Stuxnet has separate components now signed by certificates belonging to two separate companies raises some questions," Eset researcher Pierre-Marc Bureau said in a blog post.

"This new information is important because it provides more information on the people behind Win32/Stuxnet.  We rarely see such professional operations. They either stole the certificates from at least two companies or purchased them from someone who stole them."

There are other possibilities, as well, experts say. Costin Raiu, the head of Kaspersky Lab's research team, speculates that the companies involved could also have been the victim of a malware attack.

"One possibility here is that both JMicron and Realtek got infected with a trojan such as Zeus, that steals digital certificates. Then, the cybercriminals who got the certificates, either re-sold them on the market or used them by themselves to sign the Stuxnet drivers," he said in a blog post on the Stuxnet case. "To be honest, the fact that trojans were stealing digital certificates did not really seem that impressive when I have first seen this capability. Now, coupled with the Stuxnet story, it begins to make sense"

Commenting on this Article is closed.