Mice and men - dealing with Stuxnet, Duqu, and other pests!(SECURITY SUPPLEMENT)

Author:MacLeod, Calum

It seems like we're infested, or at least so my wife tells me. Apparently the mice are everywhere, although I haven't seen any myself. While running the domestic Anti-Virus program last weekend-the vacuum cleaner-she came across the tell-tale signs of mice. So I was dispatched to the stores to buy the mouse destroyer-humane version of course, because no matter how much she hates the mice, we can't kill them! We just collect them and relocate them to the neighbours!

And the problem with mice is that you never know you have them until it's too late. It's only when you start to experience the consequences that you're able to take action, and it's always the same question from the wife-how did they get in here? It seems like having mice immediately marks you as some kind of degenerate, unfit to live anywhere near other humans.

And the same kind of applies to our IT environments. The question you often hear asked is how did those "vermin" managed to install malware in my infrastructure!

Well it seems that the "vermin" are getting smarter by the day, and the latest trick is to use valid digital certificates as part of the malware. We first saw this with Stuxnet and Zeus which both apparently used signed digital certificates as part of their attack on vulnerable systems, and now the latest addition to the list is Duqu, which apparently is "signed" with a key belonging to a company in Taipei.

Stealing valid certificates is now big business because trying to use a forged certificate, or altering a valid certificate means that the system will alert the user when the driver tries to install. And alerting users or system admins to a possible issue is not the best way to survive. It's kind of like the mouse knocking on the door asking if they can come in-they need to be as inconspicuous as possible!

But you say that your AV will detect this. Unfortunately not because your AV is relying on detecting what it already knows about. If the malware that includes the signed driver is not a known then your AV is not going to detect it. Like the mice, your AV is taking action after detection. Protecting Your Organisation

You can take preventative steps to significantly reduce the risk. Because these new exploits are relying on using valid digital certificates, then having the ability to detect new certificates on systems gives you the ability to act early. But this also implies that you have and maintain an up-to-date inventory of all the keys and certificates...

To continue reading