Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Destover Malware Signed By Stolen Sony Certificate

Posted by Soulskill on from the everything-but-the-kitchen-sink dept.

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

5 of 80 comments (clear)

  1. Re:Why is the signing useful by geogob · · Score: 3, Informative

    The aim of signing is to ensure users that the software their install is authentic (and assumed to be safe). Most users will blindly thrust non-signed software and drivers... almost no user will suspect a signed package. That already something.

    Furthermore, it also adds a bit to the drama of the whole story. For the hackers it's a bit like sitting on the throne with the crown on their head after having killed the king. The obviously like to humiliate their pray, and to that effect compromising their certificates in this way is wonderfully effective.

  2. Re:Here come the certificate flaw deniers....... by blackpaw · · Score: 3, Informative

    I work for a small company that signs its code - pretty much required if you want to install in any enterprise these days.

    Its a certificate chain - we purchase a cert from a provider such as Verisign. They request basic proof of identity - business registration, contact number etc. They create a cert for us signed by them. Their cert is signed by Microsoft.

    We sign our app with our cert - anyone accessing the binary signed by us can verify it hasn't been alterated and our cert was signed by Verisign, which was signed by Microsoft.

    Note that all this provides is proof that the exe was created by us. It in no way guareentees that we aren't distributing our own malware etc. But what it does provide is a way of tracing a exe back to the signer.

  3. Re:Here come the certificate flaw deniers....... by IamTheRealMike · · Score: 3, Informative

    In practice, a certificate is nothing more than a long password

    Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.

    Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

    Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".

    Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.

    These people are a joke.

    The joke is on you ..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.

  4. Re:Here come the certificate flaw deniers....... by Smerta · · Score: 3, Informative

    First of all, kudos to your small shop for actually signing your executables. I still find myself needing to install software from companies ($100M+ companies) that don't sign their executables (IAR Systems (ARM cross compiler), I'm looking at you, for example...)

    Anyway, I just wanted to clarify one thing that you wrote, because a lot of people don't understand the security implications:

    Note that all this provides is proof that the exe was created by us

    Technically, all this provides is proof that the exe was created by someone who has your private signing key. That's exactly what's going on here with Sony. The whole signing / certificate thing works, right up to the point where the signing key is leaked or extracted. I know you know this, but it's important enough IMO that it merits re-stating...

  5. Apparently not. by Anonymous Coward · · Score: 4, Informative

    From ISC SANS

    "Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isn't quite "harmless" and the certificate should still be considered compromised. A researcher found the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existing malware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an "in the wild" sample. [1] The certificate has been added to respective CRLs."