Points to a highly sophisticated industrial espionage operation

Jul 20, 2010 08:10 GMT  ·  By

Security researchers from ESET have found a new piece of digitally signed malware related to the recently discovered Stuxnet worm. The new threat was created last week and abuses a certificated from a different integrated circuits (IC) manufacturer called JMicron Technology Corporation.

The hottest topic in the antivirus community right now is a new highly advanced worm called Stuxnet. The malware was discovered back in June by security researchers from Belarusian antivirus vendor VirusBlokAda, but only came to the attention of the general public last week.

There are several aspects about Stuxnet that have intrigued security researchers and malware analysts. First, it propagates by exploiting a previously unknown Windows vulnerability. Secondly, its components, including two drivers with rootkit behavior, are digitally signed, something very unusual for malware.

However, even more intriguing is that the malware is signed with a certificate belonging to Realtek Semiconductor Corp., a large manufacturer of networking, peripheral and multimedia computer chipsets. Finally, the Stuxnet malware seems to serve industrial espionage efforts, a hypothesis suggested by the fact that it steals information from databases used by Siemens SIMATIC WinCC Supervisory Control And Data Acquisition (SCADA) systems.

At the end of last week Microsoft announced that with consent from Realtek, Verisign has revoked the already-expired certificate used to sign the Stuxnet malware with. However, it seems that this might only be the beginning of a series of highly sophisticated attacks employing similar tactics.

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called 'JMicron Technology Corp'. This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp.,” Pierre-Marc Bureau, senior researcher at antivirus vendor ESET, announces on the company's Threat Blog.

JMicron Technology Corp. is also a manufacturer of integrated circuits, known for its Serial ATA chipsets which are integrated into many computer motherboards. Mr. Bureau points out that JMicron and Realtek are both Taiwanese companies and both have their headquarters in the Hsinchu Science Park.

The new malicious file is called jmidebs.sys and installs itself as a system driver. Once loaded into memory the component displays rootkit behavior and injects code into running processes with the purpose of stealing information. It is also noteworthy that this file has a compilation date of July 14th 2010, a day before the news about Stuxnet broke out.

We rarely see such professional operations. They either stole the certificates from at least two companies or purchased them from someone who stole them. At this point, it isn't clear whether the attackers are changing their certificate because the first one was exposed or if they are using different certificates in different attacks, but this shows that they have significant resources,” the ESET security researcher concludes.

You can follow the editor on Twitter @lconstantin