Afumati, Romania (PressExposure) July 25, 2010 -- Experts from Kaspersky Lab examines a new type of malware, trojan Stuxnet, which spreads through USB storage devices and carries a digital signature of Realtek Semiconductor Company, one of the largest manufacturers of integrated circuits and computer components. For an antivirus solution, a digitally signed software is automatically classified as "clean" and even added to the list of programs "reliable" (whitelist).
The problem was reported by analysts specialists Kaspersky Lab IT security company VirusBlokAda (VBA) in Belarus. Are two noteworthy features of this new Trojan: use LNK file type to place orders on an infected USB stick - not traditional Autorun.inf - unprecedented way until now, and is digitally signed by Realtek acording to Landing News .
"Malware is a digitally signed antivirus software nightmare for developers," said Aleks Gostev Chief Security Expert, Global Research and Analysis Team Kaspersky Lab. "Digital signatures show that a program is legitimate, they and represents a basic concept in computer security. Cyber criminals using such digital signatures randomly chosen to give legitimacy to programs they create, but if Stuxnet situation is different. Not to mention a certain signature, but we have to face even the guarantee provided by Realtek, one of the leading manufacturers of IT equipment, complete Gostev. Digitally signed files (Rootkit.Win32.Stuxnet) have rootkit functionality - hide malware on the system and USB sticks which they infect. To ensure that the certificate is issued by Realtek sound, Kaspersky Lab experts have verified it by VeriSign, which confirmed that fact.
Files were signed on January 25, 2010, but the certificate expired on June 12, 2010, a date that coincides with the Stuxnet was first identified by VBA. Kaspersky Lab experts have several hypotheses about how this malicious file has been signed by Realtek, but will publish the results of analysis when one of these hypotheses will be confirmed. Currently, two basic components are Rootkit.Win32.Stuxnet Stuxnet Trojan (digitally signed drivers) and Dropper.Win32.Stuxnet and their spread geography idica( India as country of origin.
VeriSign has revoked the certificate, and one recently discovered, belonging JMicron Technology Corp. company., Used all the cyber criminals who created Stuxnet. However, does not mean that users will be protected, because the samples already signed Stuxnet will continue to infect the operating system, but certificates will not be used to sign other versions of the Trojan. Kaspersky Lab recommends all users to ensure that your computer has installed an advanced security solution, with updates to date.