Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Destover Malware Signed By Stolen Sony Certificate

Posted by Soulskill on from the everything-but-the-kitchen-sink dept.

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

15 of 80 comments (clear)

  1. This whole Sony story by ruir · · Score: 5, Insightful

    gets better everytime. This is not news anymore, it is a damn mexican soap opera.

    1. Re:This whole Sony story by NotDrWho · · Score: 2

      It's like my grandpa always used to say "Kid, you DO NOT fuck with the The HD-DVD Promotion Group!"

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
    2. Re:This whole Sony story by ShaunC · · Score: 2

      I think his point is that even billion-dollar enterprises, who can well afford to hire entire teams of information security and risk management professionals if they cared to do so, frequently don't bother. While IT in general is seen as a cost center and is often woefully underfunded, it at least exists, because management recognizes at some level that without employees to build and maintain that infrastructure, they wouldn't be able to check their email or load up their dashboards and revenue charts. Information security has no such tangible or visible benefit, and thus falls into the category of "why would we pay people for that?"

      The Sony case is interesting because this time around, unlike TJ Maxx, Target, Home Depot, et al it wasn't millions of faceless plebeian customers who got fucked over. No, this time the victim is the company itself. Nobody's going to fix this by issuing a boilerplate apology and offering victims a free year of useless credit monitoring service. The corporation is the one suffering (oh, the schadenfreude!); this actually scares enterprise management types, it's a threat that can be quantified. Sony's misfortune comes with the benefit that it's certainly cajoling a few other companies into taking a second look at their own security situations.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    3. Re:This whole Sony story by tlhIngan · · Score: 2

      You say that as though Sony's security practices are not normal for all Fortune 500 companies. There are probably a few shining examples of good behavior, but I haven't worked for a company in the last 15 years that cared to do more than the bare minimum. Even then it was only if they HAD to do it.

      One of the more famous hacks happened a few years ago, where hacks broke into one Sony website, then used the same vulnerability the next day to break into other Sony websites in another country. And repeated the same for several days.. Each day slurping up more data.

      It's one thing to have a vulnerability. It's another to not have it patched on all vulnerable sites.

  2. Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 3, Interesting

    Anyone working in IT will have no doubt come across those who I refer to as the "Certificate Crazies".

    These are people who, when confronted with a security issue of some sort, immediately try to remedy it with certificates.

    They insist on using certs everywhere from ssh authentication to signing apps. If certificates can be used, even if it makes the work unnecessarily awkward or even if it doesn't actually help in any way, they will insist on using certificates.

    And then normal people work around the awkwardness that certificates often bring, rendering them irrelevant.

    In practice, a certificate is nothing more than a long password that's impossible for a normal human to memorize. So it ends up in a file somewhere, if not several "somewheres", where it can be easily stolen. Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

    Meanwhile, the "Certificate Crazies" deny that this is a problem, even when confronted with stolen certificates that have been misused!

    After railing against passwords for so long, how they do these "Certificate Crazies" often suggest getting around problems with stolen certificates? Why, they recommend using a short, human-friendly password that's needed in order to use the certs!

    These people are a joke.

    1. Re:Here come the certificate flaw deniers....... by blackpaw · · Score: 3, Informative

      I work for a small company that signs its code - pretty much required if you want to install in any enterprise these days.

      Its a certificate chain - we purchase a cert from a provider such as Verisign. They request basic proof of identity - business registration, contact number etc. They create a cert for us signed by them. Their cert is signed by Microsoft.

      We sign our app with our cert - anyone accessing the binary signed by us can verify it hasn't been alterated and our cert was signed by Verisign, which was signed by Microsoft.

      Note that all this provides is proof that the exe was created by us. It in no way guareentees that we aren't distributing our own malware etc. But what it does provide is a way of tracing a exe back to the signer.

    2. Re:Here come the certificate flaw deniers....... by MouseR · · Score: 2

      Your certificate is authenticated by checking against it's parent certificate authority. That parent also has a parent. Rinse and repeat until you reach one of the top certificate authorities. There are seven of those (or just about?).

      For as long as the parents are valid and your certificate is valid, then it's considered signed.

      VeriSign, a top certificate authority back in 2001, had made the news because it's DB got compromised. All certificates underneath where disabled and the whole tree had to be re-created. Symantec bought VeriSign since.

    3. Re:Here come the certificate flaw deniers....... by IamTheRealMike · · Score: 3, Informative

      In practice, a certificate is nothing more than a long password

      Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.

      Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

      Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".

      Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.

      These people are a joke.

      The joke is on you ..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.

    4. Re:Here come the certificate flaw deniers....... by Smerta · · Score: 3, Informative

      First of all, kudos to your small shop for actually signing your executables. I still find myself needing to install software from companies ($100M+ companies) that don't sign their executables (IAR Systems (ARM cross compiler), I'm looking at you, for example...)

      Anyway, I just wanted to clarify one thing that you wrote, because a lot of people don't understand the security implications:

      Note that all this provides is proof that the exe was created by us

      Technically, all this provides is proof that the exe was created by someone who has your private signing key. That's exactly what's going on here with Sony. The whole signing / certificate thing works, right up to the point where the signing key is leaked or extracted. I know you know this, but it's important enough IMO that it merits re-stating...

    5. Re:Here come the certificate flaw deniers....... by ledow · · Score: 2

      Is this not why we have CRL's, though?

      You can't guarantee your key won't be stolen and used to sign malware. But you can say that you'll revoke it when that's the case, and re-sign your official software with the new key.

      Sure, it's a pain, and I don't know if Sony have done this - but the facility is there for the original owner to say "Actually, no, that's no longer a trusted cert... here, have this one instead".

  3. Re:Why is the signing useful by geogob · · Score: 3, Informative

    The aim of signing is to ensure users that the software their install is authentic (and assumed to be safe). Most users will blindly thrust non-signed software and drivers... almost no user will suspect a signed package. That already something.

    Furthermore, it also adds a bit to the drama of the whole story. For the hackers it's a bit like sitting on the throne with the crown on their head after having killed the king. The obviously like to humiliate their pray, and to that effect compromising their certificates in this way is wonderfully effective.

  4. Oh great, now I can't trust Sony by NotDrWho · · Score: 4, Funny

    Just yesterday, they were the bastion of trustworthy software. Now this!

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  5. Malware compromising machines? by lippydude · · Score: 2

    Systems Affected: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP ..

  6. Re:Why is the signing useful by benjymouse · · Score: 2

    What benefit does the attacker get by signing the malware with a company's certificate?

    Windows has a mechanism where kernel-mode drivers must be signed. For certain mandatory, early-load drivers (e.g. anti-malware tools, measured boot tools) the drivers must be signed by Microsoft. But Windows allows other kernel-mode drivers to be loaded as long as they are signed using a valid, non-revoked code-signing cert from (IIRC) Verisign.

    Kernel-mode drivers can obviously access memory in kernel-mode. This is a common way for malware to take foothold on a Windows machine. It is really hard to ensure that Malware is executed during boot otherwise.

    Expect this certificate to be revoked in near future. This will close that avenue, and cause all machines infected drivers signed by the cert to refuse to load the malware driver.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  7. Apparently not. by Anonymous Coward · · Score: 4, Informative

    From ISC SANS

    "Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isn't quite "harmless" and the certificate should still be considered compromised. A researcher found the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existing malware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an "in the wild" sample. [1] The certificate has been added to respective CRLs."