The Channel logo

News

By | John Leyden 15th June 2015 17:28

Duqu 2.0‬ malware buried into Windows PCs using 'stolen Foxconn certs'

Driver signed by Chinese factory giant, says Kaspersky

The super-sophisticated malware that infiltrated Kaspersky Labs is craftier than first imagined.

We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, Apple, and Sony. The code-signing was uncovered by researchers at Kaspersky Lab, who are studying their Duqu 2.0 infection.

Windows trusts Foxconn-signed code because the Chinese goliath's certificate was issued by VeriSign, which is a trusted certificate root. Thus, the operating system will happily load and run the Foxconn-signed Duqu 2.0's 64-bit kernel-level driver without setting off any alarms. And that would allow the malware to get complete control over the infected machine.

Kaspersky Lab experts reckon Duqu's masterminds have been able to snatch copies of the private keys to various code-signing certificates, using a different one in each attack on an organization. The Foxconn certificate used in this instance was most likely stolen.

The Russian security firm said the Foxconn certificate leak undermines the use of digital certificates as a reliable tool for validating computer code: the whole point of them is to prove that software has not been tampered with, and was built by the vendor signing the executable.

Kaspersky Lab informed Foxconn and VeriSign of its findings before going public with a blog post on the latest twist in the Duqu 2.0 saga.

As previously reported, Duqu 2.0 exploits up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency – Israel's spies are suspected. Duqu 2.0 resides solely in the computer’s memory, with no data written to disk. The malware is viewed as an evolution of the earlier Duqu worm, a cyber-espionage toolkit discovered in 2011 and linked to the infamous Stuxnet worm. ®

comment icon Read 38 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'