Stuxnet Saga Evolves With New Digitally Signed Binaries

The Stuxnet saga is continuing to take new and troubling turns. Researchers now have found a new binary file associated with the Stuxnet malware that is signed using the digital certificate of another Taiwanese hardware manufacturer, JMicron Technology Corp.

The Stuxnet saga is continuing to take new and troubling turns. Researchers now have found a new binary file associated with the Stuxnet malware that is signed using the digital certificate of another Taiwanese hardware manufacturer, JMicron Technology Corp.

This new revelation adds another layer of complexity to a story that’s already as complicated as they come. Researchers at Eset on Monday said that they had discovered a new file associated with Stuxnet that is signed using JMicron’s digital certificate. This comes about a week after experts discovered that the original version of Stuxnet, which exploits the recently publicized .lnk shortcut vulnerability in the Windows shell, had a pair of drivers signed by Realtek Semiconductor. Microsoft has acknowledged the new .lnk vulnerability and said it is investigating the problem.

The new twist in the Stuxnet story opens up another set of possibilities for how the attackers are getting their hands on the digital certificates. Getting access to one certificate could be difficult, but there’s any number of ways it could have happened: a lone rogue employee who stole it and sold it; a targeted attack against the company; a man-in-the-middle attack, etc. But the fact that Stuxnet has separate components now signed by certificates belonging to two separate companies raises some questions,” Eset researcher Pierre-Marc Bureau said in a blog post.

“This new information is
important because it provides more information on the people behind
Win32/Stuxnet.  We rarely see such professional operations. They either
stole the certificates from at least two companies or purchased them
from someone who stole them.”

There are other possibilities, as well, experts say. Costin Raiu, the head of Kaspersky Lab’s research team, speculates that the companies involved could also have been the victim of a malware attack.

“One possibility here is that both JMicron and Realtek got infected with a
trojan such as Zeus, that steals digital certificates. Then, the
cybercriminals who got the certificates, either re-sold them on the
market or used them by themselves to sign the Stuxnet drivers,” he said in a blog post on the Stuxnet case. “To be honest, the fact that trojans were stealing digital certificates
did not really seem that impressive when I have first seen this
capability. Now, coupled with the Stuxnet story, it begins to
make sense”

Suggested articles

New Bug in Internet Explorer Used in Targeted Attacks

There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

Adobe Accelerates Patch Schedule for Critical Flash Bug

Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have a fix ready on Thursday. The company still plans to patch Reader two weeks from now.

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.