More malware signed by real certs

09 Sep 2010

Within the past few months, some bad-ass new malware called Stuxnet hit the cyberwebs. It contained a new 0-day to infect via USB's, along with other new stuff, but the really big jaw dropper was that it was signed with the actual cert from Realtek. Then like a week later a new variant was found that was signed with the actual cert from JMicron, another decently large and trusted company. Well, last night news came out about some new malware that is infecting via a 0-day in PDF's for Adobe Reader (btw if you run EMET, it supposedly is breaking the exploit from being able to infect you). Anyway, this exploit is funny because it can exploit the latest version of Adobe Reader, but not old versions, so if the exploit doesn't work to get the malware to install, it pop's up a message telling you to update Reader. (Funny to me at least). Anyway, what is most interesting is the malware it drops is signed by the legit cert from a legit US company Vantage Credit Union (the companies Stuxnet was signed by were Chinese and Taiwanese). Kaspersky first posted this at http://www.securelist.com/en/blog/2287/Adobe\_Reader\_zero\_day\_attack\_now\_with\_stolen\_certificate.

Now this should raise alarms! If someone has stolen the certs from a bank, you should expect they've pwn'd it inside and out, so I'd get my money out of their FAST! Vantage Credit Union is a privately held company (the first thing I did when I read this was try to find a way to short sell them), but interestingly Realtek's stock price was completely unaffected by it's Stuxnet issue! (Jmicron appears to be privately owned). One would think if Realtek's cert's were stolen, then the rest of it's source code and whatnot would be stolen also, and possibly bugs/logic-bombs inserted into it's products, which would have obvious affects on it's stock price, but it didn't. Wtf? (Check out Realtek's stock price around July 21st when the news broke that Stuxnet was signed with their cert. The stock didn't have any noticable drop until the 29th, which can probably be attributed to their disclosure of their dividend on that date).

Another possible conspiracy theory is that someone has figured out a way to sign stuff without having access to the certs, but that's not likely, especially considering the question why would someone bother to sign stuff from lame companies like these instead of Microsoft? Unless there is some flaw affecting only these certs, but Vantage Credit Union's cert uses SHA-1 RSA (same as gmail and bankofamerica), so nothing immediately stands out. Anyway, fun stuff to ponder.

Also, in more research, I'm getting mixed news about the 0-day used. Some say this "0-day" was a problem previously disclosed but just not seen in any malware and not yet fixed, and it actually shows a pop-up message that you have to click through for it to work, but if this is the same vuln (disclosed originally by Didier Stevens at http://blog.didierstevens.com/2010/03/29/escape-from-pdf/), then this malware should be able to pwn Foxit Reader also with no pop-up! (Foxit is an alternative to Adobe Reader that runs faster on Windows and some people think is more secure due to the rash of problems that have affected Adobe). If this is the same vuln though, then EMET wouldn't help (Didier's vuln is more of a use-case flaw of a not-often-used function whereas EMET only blocks buffer overflows and memory corruption attacks). Unfortunately, I don't have time to figure this out, but what's important is that it's using a legit cert!