The digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers fro the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.
Stuxnet’s infection method takes advantage of a previously unknown
vulnerability in most of the current versions of Windows, including
Windows Vista, Windows 7, both 32- and 64-bit versions, and Windows
Server 2008. The vulnerability
in the Windows shell is what enables the malware to execute via the
.lnk files. Microsoft said it is investigating the flaw and looking at
possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.
On Sunday, proof-of-concept exploit code for the Windows shell vulnerability was posted to Offensive Security’s Exploit Database. The code is designed to work on Windows XP SP3.
Stuxnet is an odd case. It is spread via infected USB thumb drives, which contain the rootkit code, along with two drivers that researchers say are used to hide the existence of the malware both on the USB drive and on the PC, once it’s infected. The drivers are signed using a valid digital certificate owned by Realtek, a Taiwanese hardware manufacturer, and Stuxnet uses .lnk shortcut files to launch as soon as the USB drive is opened on a PC.
Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.
“What is unique about Stuxnet is that it utilizes a new method of
propagation. Specifically, it takes advantage of specially-crafted
shortcut files (also known as .lnk files) placed on USB drives to
automatically execute malware as soon as the .lnk file is read by the
operating system. In other words, simply browsing to the removable media
drive using an application that displays shortcut icons (like Windows
Explorer) runs the malware without any additional user interaction,” Microsoft’s Tareq Saade said in a blog post. “We
anticipate other malware authors taking advantage of this technique.
Stuxnet will infect any usb drive that is attached to the system, and
for this reason we’ve classified the malware as a worm.”
This is the first time that researchers have seen a pice of malware with the infection method that Stuxnet uses, relying on the .lnk shortcut files to launch and hide itself. But it’s not likely to be the last, given the popularity of USB drives at the moment and the propensity malware writers have for copying others’ successful tactics.