Stuxnet Malware Signed With JMicron Certificate
Security researchers at anti-virus firm ESET state that they have discovered one digitally-signed malicious program associated with the recently found Stuxnet worm.
The fresh malevolent driver, which came into existence during the 3rd week of July 2010, exploits a certificate that JMicron Technology Corporation (a manufacturer of 'integrated circuits') produced.
Pierre-Marc Bureau, Senior Researcher at ESET, states that the abovementioned driver is of a different kind from those available earlier that were reportedly certified through Realtek Semiconductor Corp, as reported by ESET on July 19, 2010.
The malicious program, known as jmidebs.sys, installs itself as though it is some system driver. Moreover, its role resembles very much to the earlier drivers employed by Win32/Stuxnet. The present driver detects and inserts a script inside processes that run on a contaminated PC, with the script quietly stealing information.
Bureau states that such skilled performances are rarely seen. According to him, the attackers probably filched the certificates available with two-or-more companies or bought them from some person who happened to own them through theft.
Additionally, Bureau states that it is still unclear if the certificates with the attackers are changed owing to the exposure of the initial one or whether they are utilizing separate certificates for separate attacks. However, everything being done categorically indicates that the attackers possess considerable resources, Bureau concludes.
As per the security researchers, the current information is vital as from it additional information can be obtained about the people controlling Win32/Stuxnet.
Interestingly, Stuxnet has several stunning facts about it. One, it proliferates by exploiting a new Windows flaw. Two, unlike any other malware, Stuxnet's elements comprising twin drivers having rootkit functionalities carry a digital signature.
When Stuxnet became public, Microsoft declared that VeriSign, after acquiring RealTek's consent, had repealed the certificate which though had already expired, was being utilized for signing the malware. Nevertheless, this could just mean that many sophisticated attacks are about to start based on similar tactics.
Related article: Stuxnet Virus Created More Than A Year Back
» SPAMfighter News - 31-07-2010