Kaspersky Says Duqu2 Attackers Signed Their Code With Stolen Certificates

Kaspersky Labs, who first reported the existence of the Duqu2 malware that attacked both Kaspersky itself and three hotels that hosted the Iranian nuclear talks, is now reporting that part of the attack uses malware laced drivers signed with digital certificates from Foxconn, who is best known as Apple’s contract manufacturer in China (see Kaspersky’s blog post).

Kaspersky reported at the time of the announcement that Duqu2 does not write itself to disk, which made me wonder how the malware persists past a reboot.  The answer to that, according to the blog post is that the malware infects network devices such as firewalls, gateways or other Internet facing network devices.  This has the benefit of avoiding anti virus software and system logs in the PCs being attacked.

The blog post leaves, at least for me, as many questions as it answers, but it is providing more clarity.  Assuming it compromises a firewall, for example, how exactly does it do that?   Once it compromises that, it does now have a foothold in the target’s network launch an attack against other devices.  How does it attack those devices?  In an earlier post Kaspersky said that Duqu2 used at least 1 and maybe 3 zero days – previously unknown vulnerabilities (see post).  I gather that is the mechanism for attacking the PCs.

Kaspersky also says that the drivers that the attackers use are digitally signed using Foxconn certificates.  Foxconn is most well known for manufacturing hardware for Apple, but also makes hardware for Dell, HP, Microsoft, Sony and a host of other companies.

We have been operating for the last many years on the principal that if the software that we are about to install is signed then it is malware free.  Apparently, we can no longer assume that.

What is worse is that the Duqu2 attackers never use the same certificate twice which either means that they have a supply of these certificates or they have compromised Foxconn.  Either one of these scenarios is not good.

Do these attackers have a stash of certificates from other vendors?  Or do they have an in at Verisign, one of the world’s largest certificate suppliers?  Verisign is in the process of revoking these certificates, but without an answer to how they got them, revoking these certificates may be meaningless.

What this does show is that the sophistication of attacks is getting pretty impressive.  People used to think that if they had Symantec or McAfee anti virus on their computer they were safe.  That is no longer a good bet.

Leave a Reply

Your email address will not be published. Required fields are marked *