In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) which helped to keep the malware under the radar for quite a long period of time.
there are solutions to this valid certificate problem. It just depends on how you want to achieve it. I think paring a certificate check with a SHA1 check of every file that is signed should basically stop any certificates that are stolen. But in reality the only way is to user unbreakable certificates and only trust signature companies that you know will never sign malware.
I don’t understand you very well, so Realtek and JMicron are not trusted companies?, almost any mainboard have an integrated audio chipset of Realtek, everybody needs their drivers.
The JMicron and Realtek certificates are breakable? and other not? what is the difference?
no you didn’t understand. By unbreakable I mean they should upgrade the certificates so that breaking the program and still have the certificate remain valid is impossible. Also they are not the signers, the signers are Verisign, Comodo, Thawte, etc.
I agree, we can’t trust so much digital signature, it’s a indication for me as it’s not so difficult to make one for an exe. Also i think malware with stolen DS will be more and more popular (to bypass one layer of protection of popular w7 x64 for exemple).
Makes me wonder how they got these valid digital signatures… one of the reasons why i prefer behavior blockers over simple whitelisting… They don’t care about the digital signatures, they don’t care about cryptors and packers, all they care is what the programs do.
I do not remember the case where you were “called paranoid” (the forum is too big - no way to read all)
… but I was telling the similar about dig signatures loooong ago and way before v4 was released (read Melih’s replies, kinda “theoretically not possible” )
a month or so after my last post regarding the matter - the 1st (fake) one was released
Well … there are message about me being surprised why the thread about “include this or that as trusted” is so popular ??? taking in account that you cannot rely on that
But, after knowing what the program do, how do they separate the good programs from the bad programs, i.e., the good doing it’s job and the bad messing things… What do they use to detect the difference between one and another?
Realtek being OEM, can not be removed from Trusted Vendor List. The best is that certificate is revoked and CIS will automatically not check against Trusted Vendor List as file will not be considered digitally signed.