Malware with a valid certification & CIS being bypassed

http://usa.kaspersky.com/about-us/press-center/press-releases/stuxnet-manifests-beginning-new-age-cyber-warfare-according-kas

In addition to exploiting four zero-day vulnerabilities, Stuxnet also used two valid certificates (from Realtek and JMicron) which helped to keep the malware under the radar for quite a long period of time.


CIS bypassed: - YouTube

The valid certificates… always the problem…
And some time ago I was called paranoid here in forums when I said that we can’t trust on digital certificates that much…

This news is 1 week old, I wonder why the devs are so quiet.

there are solutions to this valid certificate problem. It just depends on how you want to achieve it. I think paring a certificate check with a SHA1 check of every file that is signed should basically stop any certificates that are stolen. But in reality the only way is to user unbreakable certificates and only trust signature companies that you know will never sign malware.

I don’t understand you very well, so Realtek and JMicron are not trusted companies?, almost any mainboard have an integrated audio chipset of Realtek, everybody needs their drivers.
The JMicron and Realtek certificates are breakable? and other not? what is the difference?

This hole known from beta testing time. :slight_smile:

I still pick up a local BB, in theory should reduce the threat.

no you didn’t understand. By unbreakable I mean they should upgrade the certificates so that breaking the program and still have the certificate remain valid is impossible. Also they are not the signers, the signers are Verisign, Comodo, Thawte, etc.

How to achieve that? I mean, with Comodo default settings…

Maybe include verification of at least a local antivirus scan module without the heuristics enabled (which would exclude False/Positive) - something catches, no significant changes.

Alex

right now it can’t be done, what would have to be done is not only look at if the certificate is valid but also who is the signer.

Ok. I think avast trusts only in one or two certificates vendors.
I don’t know if they look the signer too.

I agree, we can’t trust so much digital signature, it’s a indication for me as it’s not so difficult to make one for an exe. Also i think malware with stolen DS will be more and more popular (to bypass one layer of protection of popular w7 x64 for exemple).

So, right now, we can’t trust CIS, it is vulnerable by default.

Any developer is going to come here to say something like, we are working to fix this problem?

Makes me wonder how they got these valid digital signatures… one of the reasons why i prefer behavior blockers over simple whitelisting… They don’t care about the digital signatures, they don’t care about cryptors and packers, all they care is what the programs do.

Hi Tech ,

I do not remember the case where you were “called paranoid” (the forum is too big - no way to read all)
… but I was telling the similar about dig signatures loooong ago and way before v4 was released (read Melih’s replies, kinda “theoretically not possible” )
a month or so after my last post regarding the matter - the 1st (fake) one was released
“practically” :slight_smile:

Well … there are message about me being surprised why the thread about “include this or that as trusted” is so popular ??? taking in account that you cannot rely on that

… anyway… I am not using “that”

Cheers!

Does CIS check the status of certificates? Will a revoked certificate be detected?

I hope this can be fixed without reducing user usability or demanding more user inputs.

Apart from this certificate/white listing loophole, there is always another loophole – the user. More pop-ups or user inputs would just result in larger loophole on user’s part.

I thought it was already the case.
Comodo doesn’t maintain a whitelist with file signature?
I know this database would be huge, but less than virus signature…

But, after knowing what the program do, how do they separate the good programs from the bad programs, i.e., the good doing it’s job and the bad messing things… What do they use to detect the difference between one and another?

Realtek being OEM, can not be removed from Trusted Vendor List. The best is that certificate is revoked and CIS will automatically not check against Trusted Vendor List as file will not be considered digitally signed.

Thanks
-umesh