NEWS FROM THE LAB - Tuesday, July 20, 2010

Another Signed Stuxnet Binary Posted by Sean @ 13:00 GMT

There's a couple of new developments in the Stuxnet rootkit case. Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation.

Our detection for this new binary is Rootkit:W32/Stuxnet.D.


Here's the Digital Signature Details from the file properties:

JMicron Cert

And here's the Certificate:

JMicron Cert

Here's the certificate details via VeriSign.

JMicron leaked cert VeriSign info

This particular certificate is valid until July 25, 2012.

While there are some modifications, initial analysis indicates that this new driver is very similar to the first set of Stuxnet samples we've seen, with the same basic functions and approach.

A hat tip to Pierre-Marc Bureau at ESET, he notes that JMicron and Realtek Semiconductor Corp both have offices in Hsinchu Science Park, Taiwan. Realtek is the source of the previously used certificate which has now been revoked by VeriSign.

We've speculated internally that Realtek's Authenticode leak could have resulted from Aurora style attacks which targeted source code management systems, but now, with the physical proximity of these two companies, we wonder if some physical penetration was also involved.

Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system's hardcoded password. The concern is that adjusting the password will create damaging conflicts.

Robert McMillan has more on this at PCWorld.

Updated to add: ICS-CERT has published an useful advisory [PDF] which includes all the file names needed to scan for Stuxnet infections on computers with no antivirus installed.