The Stuxnet saga is continuing to take new and troubling turns. Researchers now have found a new binary file associated with the Stuxnet malware that is signed using the digital certificate of another Taiwanese hardware manufacturer, JMicron Technology Corp.
This new revelation adds another layer of complexity to a story that’s already as complicated as they come. Researchers at Eset on Monday said that they had discovered a new file associated with Stuxnet that is signed using JMicron’s digital certificate. This comes about a week after experts discovered that the original version of Stuxnet, which exploits the recently publicized .lnk shortcut vulnerability in the Windows shell, had a pair of drivers signed by Realtek Semiconductor. Microsoft has acknowledged the new .lnk vulnerability and said it is investigating the problem.
The new twist in the Stuxnet story opens up another set of possibilities for how the attackers are getting their hands on the digital certificates. Getting access to one certificate could be difficult, but there’s any number of ways it could have happened: a lone rogue employee who stole it and sold it; a targeted attack against the company; a man-in-the-middle attack, etc. But the fact that Stuxnet has separate components now signed by certificates belonging to two separate companies raises some questions,” Eset researcher Pierre-Marc Bureau said in a blog post.
“This new information is
important because it provides more information on the people behind
Win32/Stuxnet. We rarely see such professional operations. They either
stole the certificates from at least two companies or purchased them
from someone who stole them.”
There are other possibilities, as well, experts say. Costin Raiu, the head of Kaspersky Lab’s research team, speculates that the companies involved could also have been the victim of a malware attack.
“One possibility here is that both JMicron and Realtek got infected with a
trojan such as Zeus, that steals digital certificates. Then, the
cybercriminals who got the certificates, either re-sold them on the
market or used them by themselves to sign the Stuxnet drivers,” he said in a blog post on the Stuxnet case. “To be honest, the fact that trojans were stealing digital certificates
did not really seem that impressive when I have first seen this
capability. Now, coupled with the Stuxnet story, it begins to
make sense”