SymanTUX Gate!

Stuxnet again…and its Symantec Certificate again!!

“sample that appeared to be very similar to Stuxnet”

“first recording of one of the binaries was on September 1, 2011”

“The certificate was revoked on October 14, 2011”

Why did it take Symantec to revoke their certificate they have issued (misissued?) 44 days even though they say the file appeard to be very similar to stuxnet?


[i]Here is a link to an earlier Misissuance of certificates to someone pretending to be Microsoft[/i]

Stuxnet Computer Worm’s Creators May Be Active Again - The New York Times
“According to Vikram Thakur of Symantec, the organization decided not to come forward because it wanted to protect the identity of the victim organization”

How about protecting end users???

Home - Broadcom Community - Discussion Forums, Technical Docs, and Expert Blogs
"As a result of this intelligence Symantec is able to take action very quickly. "
44 days to be exact!!

This can happen to any CA, such as COMODO too.
But the difference its that when happens to COMODO, it only needs a few hours only to stop and revoke.

Others CA could take days, weeks or even months only to notice the problem.

Its good that COMODO takes this things very seriously, and the results are clearly seen when COMODO handles this situtation with total transparency and in a very short period of time.

That’s exactly the case. We promise total transparency and immediate action to protect our users!

This is not my field, so please forgive any apparent ignorance by this question.

Why are Symantec masking/hiding the company name on the signed driver (cmi4432.sys)? Based on the MD5 supplied by Symantec, it seems that all the signature information has been stripped off the Virus Total submission of the driver as well. Wouldn’t this information help others? Or is this something that industry only shares with each other? Thanks.

good question.

How did the attacker obtain the Certificate to sign the code?
Did they steal it from the company? (where is the police report if this is the case?)
Did Symantec mississue?

too many questions…

It seems that the certificate in question was “stolen” (Greg Day, Chief Technology Officer, Symantec)…

The code [Duqu] used a "jigsaw" of components including a stolen Symantec digital certificate, said Mr Day.

“We provide digital certificates to validate identity and this certificate was stolen from a customer in Taiwan and reused,” said Mr Day.

source []

Nice find Kail! Gonna have a read now… :-TU

I have a personal saying, but this can be said also for a Company as a whole! “We all mistakes, it’s what we do after that defines us (a person, but same for a company)”. So in other words, if one Company makes a mistake and holds hands up, listen we’re only human, sorry it happend… we’re on it now to make sure this never happens again etc… then fair enough. It’s those who tried to pull the wool over your eyes that should not be let off lightly, such as the case in Symantecs…

Fair enough, things have happened to Comodo, but their response was open for all to see, and we was always updated.

Is there a police report or anything similar to this if its a theft?

good luck finding a police report, the customer it was stolen from is from Taiwan.

Not that I’m aware of. But, since Symantec are not disclosing their clients name I doubt that something like this would be easy to obtain.

However, a newer blog from Symantec’s Authentication Team does seem to indicate that Symantec doesn’t actually have any details on how the certificate was stolen…

.. We won’t speculate .. as to how the keys were compromised at the customer site in the Duqu situation ..
[url=]source[/url] []

customer’s name has been revealed.
This is a serious theft that caused huge amount of infection in key places. One would expect someone to report to Police and have a report about it at least…

I’m sorry Melih, I hadn’t noticed that you’d updated your first post. Is the revealed name of any interest/note? I don’t have a NY Times subscription. :slight_smile:

C-Media Electronics.–-further-tales-of-the-stuxnet-files

Ouch, the audio device guys. I guess the CMI bit on the driver filename (cmi4432.sys) was a give away then.

yep…has anyone seen any police report of this ‘theft’ yet?