2010-09-01
Abstract
‘Why doesn’t Windows tell me when that very important signature has been tampered with?' Roel Schouwenberg, Kaspersky Lab
Copyright © 2010 Virus Bulletin
It may seem like an age ago but it was only in July that the world was made aware of the W32/Stuxnet malware. In a nutshell, Stuxnet is an extremely sophisticated worm that targets SCADA environments while exploiting a zero-day vulnerability in all recent versions of Microsoft’s Windows operating system. To top it all off, the attacks appeared to target Iranian systems, with by far the majority of incident reports coming from Iran. All of a sudden, the most off-the-wall conspiracy theories began to seem plausible.
Stuxnet, much akin to the Google Aurora attack, is playing a crucial role in a new sense of user awareness that seems to be developing this year. Aurora and Stuxnet are tangible cases for different kinds of cyber-espionage. These ready-made examples will certainly help to make it clear to the people who aren’t being attacked – or perhaps who aren’t aware they’re being attacked – that they need proper protection.
In our industry, we tend to be sceptical about user education – and rightfully so. And while it’s definitely possible to put up shields against Aurora-type attacks, I’m extremely doubtful that this is the case with an attack of Stuxnet’s class. Let’s face it, with the exception of exfiltration and botnet infrastructure, it’s hard to see where the Stuxnet authors could have done better. There are many lessons to be learned from Stuxnet, but there’s one which clearly stands out. There’s an extremely broken model of trust.
With the huge volume of malware we’ve been seeing in the last couple of years, the anti-malware industry is relying more and more on automation. That our current automation is less than perfect is something I pointed out a year ago in reference to W32/Induc.A (see VB, September 2009, p.2). W32/Induc basically infects the Delphi compiler so that any file created with it contains the virus. What we ended up with were many different applications that had contained the virus for quite a long while. A number of these applications were even digitally signed.
Which brings us back to Stuxnet. The Stuxnet authors stole VeriSign-issued certificates from two reputable companies – RealTek and JMicron. That’s a double attack against reputation. Firstly, it’s no easy task to obtain a certificate from VeriSign. Secondly, there’s a long history of trust in the files originating from these companies.
Certificate-stealing malware is far from new. The Zeus trojan has been doing it since 2006. The malware authors have never needed to use those certificates over the years but that is slowly changing. Stuxnet proves this.
Does this mean we must completely rethink whitelisting? No, but it will burden us with having to contact companies directly and whitelisting by the hash of files rather than the hash of digital signatures.
Even beyond Stuxnet, there are other certificate-related issues to worry about. At the beginning of August this year, there was a report from our friends at Trend Micro that a variant of Zeus was using a Kaspersky Lab certificate. After the Stuxnet news, it certainly received a lot of attention. But was it really worth the attention? The creator of this particular variant had simply copied a digital signature belonging to one of Kaspersky Lab’s tools and pasted it into his Zeus variant.
Now this is where it gets really confusing. The security community places enormous value on digital signatures. Microsoft Windows, for instance, will tell you when a valid signature has been found in a file and who that certificate belongs to. It will ask you if you trust that particular publisher. Why, then, doesn’t Windows tell me that someone has tampered with that very important signature? Windows will generally treat a file with a tampered or corrupted signature as if it weren’t signed in the first place and will not warn the user in any way. That’s an extremely broken model of trust
The issue I’m describing is far from new. But if Aurora can serve as an eye-opener to Fortune 500 companies, making them realise that they really shouldn’t have been running Internet Explorer 6 in 2009, then let’s have Stuxnet serve indirectly as an eye-opener to Microsoft, making the company realize that it shouldn’t allow execution of files that have tampered signatures.
