Duqu 2.0 malware buried into Windows PCs using 'stolen Foxconn certs' The super-sophisticated malware that infiltrated Kaspersky Labs is craftier than first imagined. We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, …
have been able to snatch copies of various code-signing certificates
Really, the private key associated to the (the public key embedded in) the certificate, right?
How do you snatch the private key, or alternatively, have your private key certified by e.g. Verisign? A stern discussion at an old factory away from civilization? A powerful operator from Uncle Sam placing a phone call?
Usually you cannot snatch such a key at all - it does not exist in a "usable" form outside the organization which has it because it resides in a crypto module. So unless you have a crypto module which has an undocumented backdoor...
Hmm.. Most high end crypto modules are designed on the East Coast of the Mediterranean. Some are even manufactured there. So yeah, why not...
Where Foxconn stores the key an how uses it to sign its code we don't know. If the key was stolen, or the signing system compromised we don't know. And was the key stolen from Foxconn, or from the issuer? How was the key delivered, and where it was subsequently stored? Who could access the key?
Properly managing keys is a delicate matter.
Maybe or maybe not the certificate is forged using a stolen private key.
The question begs, however, why ALL Foxconn-signed executables are trusted automatically just because they're signed by Verisign.
This is the problem with Windows, and Windows admins particularly. Rather than "Look, this is all my known software, anything not on this list - whether signed or not - I want to know so I can authorise it on the network or not", they go for the "Microsoft must know better than me what some third-party who signs another third-party who signs some third-party software does, so I'll just let them all run by default".
Sorry, Kaspersky, but I judge you immensely here. It's not where the file came from or who signed it that matters. It's what idiot didn't have a software authorisation list and/or put it on the authorisation list.
If only they had an antivirus or Internet Suite capable of detecting unknown executables and allowing the network administrator to approve / not approve their execution...
"This is the problem with Windows"
No, the ability to require everything to be signed and to control it to the package or vendor or certificate level is an advantage.
""Look, this is all my known software, anything not on this list - whether signed or not - I want to know so I can authorise it on the network or not"
Windows is quite capable of doing that to the vendor or package level via AppLocker, and some companies do. It can be a lot of work to maintain the list of authorised software though...
"The question begs, however, why ALL Foxconn-signed executables are trusted automatically just because they're signed by Verisign."
Indeed, AFAIK, only Microsoft issues windows core executables, so they should really be the only ones to sign them, and no-one else !
Why can joe foxconn get anything installed and validated on Windows is a big problem. How many other companies ? HP, IBM, Lenovo, paypal ? FFS !!
MS has to tighten the bolts of who the f**k can install any package on *their* OS. Windows is MS's OS, shall I remind everyone !
Whatever the OEM deal is, with MS, MS has to keep control of its OS security, and that starts by being the sole responsible for exec's security.
Sure, the dat MS starts to control what gets installed on its OS, all the Linux fanboys will start to complain about it... I foresee the day that MS blocks any non approved browser running on Windows, and blocks Chrome because it can install in non sytem approved directories if user has no permissions...
Look at how much people complained about secure boot: it's exactly strictly checking what can be executed at boot under the full control of MS and a few others - of course Linux fanboys complained they would not be able to run unsigned code at boot....
Each and every company needing a driver would need to wait for Microsoft sign their software before being able to deliver it, and it would cost much more that obtaining a code signing certificate from a trusted CA. Sure, not much of an issue for big companies like Foxconn, but a lot of smaller ones producing hardware devices will be not so happy.
Secure boot is about what your FIRMWARE is willing to run. Linux people don't care if Microsoft locks down Windows so it only runs Microsoft signed code. But if a PC you buy can only run Microsoft signed code even when you intend to wipe the hard drive and install Linux, that's a real problem!
Exactly, the real problem is if you could boot anything unsigned, then you have no way to ensure the trust of whatever is loaded after...
I understand the need of machine were secure boot or the like can be disabled, but in some environments what you need are systems where it *can't* be disabled. And I don't mean game consoles, although even game console makers have their reasong, looking at the piracy levels. It's just another kind of attack costing them a lot of money.
You have to have some trusted roots if you want to allow interoperable certificates. Otherwise Microsoft has to sign everything themselves. Which isn't a bad idea, other than the increased workload. I don't know for sure, but I'll bet iOS doesn't extend a chain of trust to Verisign or anyone else, and only works with Apple's signing key. That's the benefit of a "walled garden".
"The question begs, however, why ALL Foxconn-signed executables are trusted automatically just because they're signed by Verisign."
Because that's how the whole PKI infrastructure is designed to work. If you have a code-signing certificate, and it's valid because it's not revoked and issued by a valid CA chain, you are trusted by design. Just like every site you access via https is trusted by design if it presents a valid certificate.
The weakest point has always been the private key storage and management (besides checking a certificate status).
Anyway, this shows exactly how "hard work" is needed to write something like Doqu - you need to obtain the keys of a valid certificate, something beyond the reach of the average attacker - before Windows checked for signature of drivers, you can just write a driver and get it installed without any check. It's the final solution? No. It's better then before? Yes.
Linux does as well something alike, packages needs to be signed. Compromise those keys, and you can deliver packages happily installed by the OS without any warning. Moreover, because Linux executables are not signed, there's no way to check them after they are installed.
If you like, you can remove almost all CAs from Windows... quite everything will raise warnings then...
"In this case you'll have to revoke Verisign or at least one of their root CAs"
If thats what it takes.......if it can't be trusted then it should be revoked. But surely its only the particular batch of certs allocated to Foxconn? Nothing to suggest other Verisign certs are hacked - or have I missed something?
This post has been deleted by its author
> It's what idiot didn't have a software authorisation list and/or put it on the authorisation list.
I am such an idiot. Where can I find a list of Windows kernel drivers (as this was) that states what their purposes are (so I can decide whether I need to run them or not) and who signed their certificates (so I can decide whether to trust them or not)?
Ya'd think there'd be a database for identifying such things. And not just Windows. I can see this being handy for that whole IoT category. Also have proper integrity checks certificate chains. Oh, and keep a bunch of them in places that aren't a secret court order away from whitelisting anything they shouldn't. Still a warrant canary for each repository as well.
Code signing is just a layer of protection. It's not the definitive asnswer to security threats, but it's better than not having it at all.
And if there was such a law, it would mean Linux packages couldn't be signed as well. Anyway Windows doesn't force you to sign executables. Just some unsigned executables will trigger big warnings when installed or executed - something of course a malware writer prefers to avoid - there are some small companies (and even some not so small...) delivering unsigned drivers, for example.
The only ones happy without code signing would be those in dire need of cracking console games, because too greed to pay for them.
"Anyway Windows doesn't force you to sign executables."
Well UEFI "Secure" Boot might force you into getting a signed boot loader eventually. The requirement to be able to turn off "Secure" Boot was removed by Microsoft recently.
And on mobile devices it's even worse. That's the main reason why you don't have a healthy culture of alternative operating systems on those.
"Well UEFI "Secure" Boot might force you into getting a signed boot loader eventually. The requirement to be able to turn off "Secure" Boot was removed by Microsoft recently."
So Microsoft gives the vendors a choice, and you can vote for the vendors with your wallet.
"That's the main reason why you don't have a healthy culture of alternative operating systems on those."
It's also the main reason for zero Malware on Windows phones.
Absolutely fascinating.
As Kaspersky themselves point out, the Duqu creators have never used their stolen certificate anywhere else and are willing to apparently throw it away, suggesting that they have a large supply of alternative certificates to call on.
If that's true, then the certificate system is utterly, utterly broken.
It's hardly surprising that a nation state attacker can obtain certificates.
You can do a lot if you have complete legal immunity and a global spy and intelligence network. Particularly when you're able to recruit people for patriotic and/or ideological reasons and get them to do things they would normally refuse to do.
They probably didn't need to hack or buy the certificates. It would be enough just to have an agent on the inside of one of the companies in the chain, and that company is probably still completely unaware of it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
