Possible New Rootkit Has Drivers Signed by Realtek
Dennis Fisher writes on ThreatPost:
Security researchers have identified a new suspicious program that is copying itself to PCs via USB mass storage devices and is digitally signed with the certificate of Realtek Semiconductor, a major manufacturer of computer products based in Taiwan.More here.
The program, known as Stuxnet, looks like a somewhat standard-issue piece of malware, with a couple of key exceptions. Stuxnet uses an LNK file to launch itself from infected USB drives onto PCs. LNK files are used by Windows programs as a shortcut or reference to an original file, and this is thought to be the first instance of a piece of suspected malware using a LNK file to infect machines.. Secondly, and far more worrisome, is the fact that the two drivers associated with the Trojan are digitally signed with the Realtek certificate.
"However, sometimes cybercriminals do somehow manage to get their hands on their very own code signing certificate/ signature. Recently, we’ve been seeing regular instances of this with Trojans for mobile phones. When we identify cases like this, we inform the appropriate certification authority, the certificate is revoked, and so on," Aleks Gostev of Kaspersky Lab said in a blog post on the Trojan. "However, in the case of Stuxnet, things look very fishy indeed. Because the Trojan isn’t signed with a random digital signature, but the signature of Realtek Semiconductor, one of the biggest producers of computer equipment."