Possible New Rootkit Has Drivers Signed by Realtek

Security researchers have identified a new suspicious program that is copying itself to PCs via USB mass storage devices and is digitally signed with the certificate of Realtek Semiconductor, a major manufacturer of computer products based in Taiwan.

Security researchers have identified a new suspicious program that is copying itself to PCs via USB mass storage devices and is digitally signed with the certificate of Realtek Semiconductor, a major manufacturer of computer products based in Taiwan.

The program, known as Stuxnet, looks like a somewhat standard-issue piece of malware, with a couple of key exceptions. Stuxnet uses an LNK file to launch itself from infected USB drives onto
PCs. LNK files are used by Windows programs as a shortcut or reference
to an original file, and this is thought to be the first instance of a
piece of suspected malware using a LNK file to infect machines.. Secondly, and far more worrisome, is the fact that the two drivers associated with the Trojan are digitally signed with the Realtek certificate.

“However, sometimes cybercriminals do somehow manage to get their
hands on their very own code signing certificate/ signature. Recently,
we’ve been seeing regular instances of this with Trojans for mobile
phones. When we identify cases like this, we inform the appropriate
certification authority, the certificate is revoked, and so on,” Aleks Gostev of Kaspersky Lab said in a blog post on the Trojan. “However, in the case of Stuxnet, things look very fishy indeed.
Because the Trojan isn’t signed with a random digital signature, but the
signature of Realtek
, one of the biggest producers of computer equipment.

“Recalling a certificate from a company like this simply isn’t
feasible – it would cause an enormous amount of the software which
they’ve released to become unusable.”

Upon execution, Stuxnet creates two drivers on the compromised machine, called mrxcls.sys and mrxnet.sys. The drivers are used to mask the malware on both the USB drive and the infected PC. Those two drivers are signed using the certificate of Realtek. The program doesn’t seem to do anything else malicious after it’s on a new machine, although it will copy itself to other USB drives attached to the PC.

A check of the certificate’s validity with VeriSign, the certificate’s issuer, shows that it is indeed legitimate. One of the problems that digitally signed malware files such as Stuxnet present is that they’re often trusted implicitly by security programs, so they’re allowed to pass by with no problems. And in some cases the security software may whitelist any digitally signed files as a matter of course.

The Stuxnet Trojan was discovered in mid-June by an antimalware company in Belarus called VirusBlokAda. The certificate for the Trojan was valid through June 10 and Stuxnet’s drivers were signed in late January. It was about a week after the certificate expired that the antimalware community first saw Stuxnet in the wild.

Gostev said that one possible explanation for the digitally signed drivers is that they’re legitimate components of the software on a USB drive that have characteristics of a rootkit. The new Trojan is currently confined to machines in India, Iran and Indonesia.


“Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp
files in the root of the storage device. But that doesn’t mean the
driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology,” he wrote.

Realtek did not respond to a request for comment.

Suggested articles


  • Anonymous on

    It's not an obscure image file format, it's the windows standard shortcut extension .lnk (LNK), not .ink (by default, it is hidden from view in the explorer).

  • Dennis Fisher on

    You're right, thanks. I made the change.

  • Anonymous on

    This sounds like it was more of a "proof of concept" trojan since it didn't really do anything that we know of.  Now that they know it works, who knows what's next.  I really hate these people.

  • Anonymous on

    Realtek revoked the certificate already

  • Anonymous on

    Ehh?! - it put the microcode of industrial controllers in power stations and other such large industrial machinery 'in the hands' of the botnet owner who could send updated code out... and the main targets appear to be three large muslim nations in the middle east who may or may have or  be developing nuclear programs?

    <cough> mossad </cough>

  • Anonymous on

    But the STEP7/PLC are also used for generating codes for mobile power geenrators used by Prithvi, Aakash, and other PSLV launch vehicles made by India; the Fenglin, Yuyuan grade of ABM and LongMarch II and IV space rockets made by China; AstrosII by Brazil, and of course Buran Space Shutle by Russia. They all use Step7 code to program the logic controller. India in particular relied heavilty on French and German technology during pre-normalization year (before 1984) and is at greater risk of having severe consequences -- mainly the missles are targetted at China and Pakistan. I hope those missiles don't go awry and hit Saudi Arabia. 

  • Anonymous on

    The Sony root kit phoned home a list of songs from your itunes library but how it did this was clever.

    Your regular modem or cable connection was by passed and your printer usb to your printer / fax / coppier / scanner combo machine was used to transmit a low frequency signal down your fax telephone line. The local telco was in on it as they charged Sony for the privelage. Ameter radio opperators noticed the unusual carrier signals of some US naval stations as the phone line from the studio to the transmitter was also carying the code. This showed up on a spectrum display as an anomally. Sony were busted. Seven years on the next generation of malware is near undetectable

    your free download packet sniffing programme wont go there and the root kit revealing software is all to late. Caution is the only safeguard stand alone must be stand alone!




Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.