Signed Malware Used Valid Realtek Certificate

Security researchers have confirmed that the newly discovered malware, which spreads by exploiting an unpatched Windows vulnerability, was signed using a valid Realtek Semiconductor signature. The targeted SCADA system appears to be using a hard-coded username and password for accesing the database.

Yesterday, most security news websites and blogs reported the discovery of a peculiar piece of malware, which baffled security researchers. For one, it was exploiting a previously undisclosed vulnerability in the way Windows processes .LNK files, a claim still being investigated by Microsoft.

Secondly, its payload, two rootkit components that get installed as system drivers, were digitally signed. Finnish antivirus vendor F-Secure, confirmed today that a valid key from Realtek Semiconductor Corp., a manufacturer of networking, peripheral and multimedia chipsets, was used to sign them.

Code signing has been introduced in Windows NT, but has only been actively required since Windows Vista. In order to sign their code developers must obtain a private key from a certificate authority (CA). Operating systems are designed to trust certificates signed with a key issued by a CA by default.

There are several advantages for malware authors to sign malicious code. For exemple, 32-bit version of Windows Vista and 7 will display a warning when installing a driver is not properly signed, while in 64-versions non-signed drivers are not even accepted. Therefore, signing a rootkit driver would make the infection process much more straight-forward and silent.

A second advantage is that antivirus products can be tricked by properly-signed binaries. This is because signed malware is so rare that tagging a signed file as malicious will almost always generate a false positive.

But with all these benefits it is still not considered viable to sign malware, especially the kind meant for mass infection. First of all, it is fairly hard to obtain an Authenticode certificate. You either have to buy one and then misuse it, trick a third party into signing your malware or resort to stealing one, which is probably what the creators of this trojan did.

And going to all this kind of trouble can only mean one thing, that this malware was used in a highly targeted attack. The fact that the rootkit searches for the presence of a SCADA system database, only comes to reinforce this hypothesis. This is most likely malware for industrial espionage.

Furthermore, the F-Secure researchers warn that “Regarding the SCADA systems that are being targeted, the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change. Thus, any organization successfully compromised by this targeted attack could be completely vulnerable to database compromise.”

You can follow the editor on Twitter @lconstantin