VeriSign working to mitigate Stuxnet digital signature theft

VeriSign is looking to halt the use of its customers' digital signatures to sign the Stuxnet Malware currently targeting SCADA systems. On Tuesday, the company briefly explained those plans to us, and also confirmed the two certificates that were being maliciously used are no longer valid.

When Stuxnet was first discovered, one of the things that stood out was that it was digitally signed. Stuxnet targets the WinCC SCADA system by Siemens and uses a digital signature from Realtek Semiconductor Corp.

[Note: More information on the Windows Shell vulnerability being used to spread Stuxnet can be found here and here]

The digital signature has since been revoked, but most SCADA environments will require that software be signed before it is allowed to run. The assumption is that Realtek’s key was compromised, which allowed it to be used maliciously.

Shortly after the Realtek signature was revoked, variants of Stuxnet started to spread that were signed with a signature from JMicron Technology Corp. The visible connection is that both Realtek and JMicron have offices in the same industrial park in Taiwan.

This leads to speculation that there is a targeted attack on businesses in the area. The widely accepted assumption is that both companies were infected with Zeus, which has a module capable of capturing digital signatures.

The Tech Herald spoke to VeriSign’s Tim Callan by phone on Tuesday, hoping to get some insight into what the company was doing to address the malicious use of its customers' certificates.

Interestingly, VeriSign was not made aware of the Realtek digital signature issue until it appeared in the media. Also, it had no confirmation or details on whether a Malware infection caused the keys to be compromised.

After investigating reports, VeriSign reached out to Realtek and informed it that its certificate was being used to sign malicious code. Realtek was also unaware of the issue, and promptly agreed to allow VeriSign to revoke the certificate used to sign the Malware, as well as the renewal of that certificate, issued shortly after the compromised one expired.

This process was repeated with JMicron, and its certificate was revoked as well. As was the case with Realtek, JMicron was not aware that its certificate was being used to sign malicious code.

At this stage, VeriSign is as much a victim as its clients. It is also in a place where it wants to take action, but needs to walk a thin line. Attack types change all the time, so VeriSign draws on previous experience and deals with issues while being respectful of its customers' business.

While it would be easy to simply revoke and replace all customer certificates, VeriSign will not and cannot jeopardize its customers' operations, Callan told us. There could be massive issues if it simply started revoking certificates blindly.

That said, VeriSign isn’t sitting idle. The company is working on plans that will remove it from a reactive posture. One plan, still being discussed internally, involves getting an inventory of certificates used to sign legitimate code by customers in the same business park as Realtek and JMicron.

The inventory would include all of the certificates from the same timeframe as those that have been compromised, in addition to other elements. With such a list, VeriSign could then preemptively contact customers and deal with potential issues by revoking certificates and replacing them before they are used to sign Malware.

“This isn’t a definite plan. It is a plan being investigated. It is something that could work, but we need to determine that before it is implemented,” Callan said.

We’ll keep up with VeriSign, and update this story if and when more information is available.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.