It is able to load undetected into the system because it [i][malware sample][/i] is [b]digitally signed by RealTek Semiconductors, a legitimate hardware vendor[/b]. [b]Why RealTek would digitally sign a driver that is in fact a rootkit[/b], or whether their systems were compromised has yet to be determined.
...Process of system infection proceeds in the following way:
...Both files (mrxnet.sys and mrxcls.sys, one of them works as driver-filter of file system and the second one is injector of malicious code) are placed in the %SystemRoot%\System32\drivers directory...
...Note that [b]drivers are signed with digital signature of Realtek Semiconductor Corp.[/b]
One possibility here is that both JMicron and Realtek got infected with a trojan such as Zeus, that steals digital certificates. Then, the cybercriminals who got the certificates, either re-sold them on the market or used them by themselves to sign the Stuxnet drivers.
RealTek, JMicron – who’s next? Information is quite old, nevertheless it shows that relying on digital signature only to trust executables is dangerous.
On of the reasons this thread appeared is the fact that TVL is very hard to edit when U want to delete bunch of entities: this will take century ± 2 years. Countless times people said about TVL user-UNfriendliness, but TVL in its current view seem to be immortal, alas >:(
1 (04-03-2010, 20:38:14) 2 (same user as in link #1, feature request 25-09-2010) 3 (feature request, 16-09-2010) 4 (feature request, 04-05-2010) 5 (25-09-2010) 6 (26-04-2010) 7 (feature request, 21-03-2010) 8 (feature request, 28-02-2009)
[this list of links would be probably updated to include more material]
If malware has a stolen certificate, will it be excluded from being detected by the antivirus automatically if Comodo doesn’t remove it from the TVL list first.
But in the mean time it will wipe out peoples computers because until comodo is update it will allow everything to connect to the internet and download who knows what because they have a trusted vender license. Just because something is signed does not mean it should automatically be allowed to connect to the internet without the users permission. This action shows that the application cannot be trusted as well as comodo for bypassing user wants.
Just because something is signed does not mean it should automatically be allowed to connect to the internet without the users permission.
It is signed and on the trusted vendor list.
This action shows that the application cannot be trusted as well as Comodo for bypassing user wants.
Right… You can’t trust Microsoft either because they allow the driver to load on x64. They don’t even have a trusted vendor list, so they allow any properly signed driver to load. 88)
this is a problem with all security software. There are two things that can be done. Have the security software have no trusted list and ask you about everything. Which people will complain about because the software is not user friendly.
Or some company can invent a new code signing certificate that cannot be stolen or cracked. The nice thing is that comodo is in the position to do this.
I must say there is a third option
Is create a “A&S Program”; Either for free or paid (I would highly recommend a free program though but can be both :D)
If I’m not wrong (and please correct me if I am as I haven’t actually researched this :o) the problem today isn’t that the digital certificates are being cracked, but that some companies/individuals are willing to sign malware.
Is this right? If not then please direct me to a link so I can be correct in the future. 88)
Digital signatures are very difficult to fake with our current technology, but they’re not “mathematically” uncrackable. My comment was a response to the quote from Melih.
Of course they can be cracked but it is doable in a good time period? Like SHA1 can be cracked but it would take about 10 years using very powerful servers.
Also, stealing a certificate will render it useless becasue it will not be valid anymore.
Quoted Melih with making impact on ‘there is no way practically’. But appears there is – which is proven by the fact malware writers managed to use valid digital signature to sign malware (info from the 1st message).
---->
I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?
Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it
There was a lot of fanfare on Saturday when Microsoft and Verisign announced that they had worked together with Realtek to revoke the certificate in question, implying that this somehow improved the safety and security of users. One of our researchers, Mike Wood, who will be presenting a paper this year at Virus Bulletin on the use of certificates by cybercriminals, helped me out by looking into the specifics of how Windows treats signed drivers and DLLs.
Mike came to two conclusions. One was that a driver signed with a certificate during its validity period will never expire. That the signing certificate is now expired is irrelevant because the rootkit was signed when the certificate was valid.
Second, Mike determined that the conclusion I had drawn in this week’s Sophos Security Chet Chat was incorrect. I thought that when the certificate was revoked this would prevent drivers that had been signed by it from loading into Windows. This is only partially true; it will only prevent drivers from loading that were signed after the certificate was revoked. This means all existing copies of Stuxnet that are in the wild will still happily load.
Why revoke the certificate at all? I have no clue. It accomplishes absolutely nothing as far as I can tell, except giving the appearance that the powers-that-be are taking actions to protect us
Why revoke the certificate at all? I have no clue. It accomplishes absolutely nothing as far as I can tell, except giving the appearance that the powers-that-be are taking actions to protect us
It prevents future infections by this specific certificate. That's still good enough in my book.
Unfortunately revoking a certificate does not help to expose already infected systems nor the spread of stuxnet for example.
Things could be tightened up by not allowing any driver without a valid signature. That would mean that vendors will have to maintain driver’s signatures until years after release. That’s a change.
Correct me if I’m wrong, but with CIS V5.3 a file signed with a revoked certificate would not be trusted. Thus revoking a certificate is very important.
