Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.
In order to digitally sign a binary you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.
Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that steals PKCS#12 public key certificate files. PKCS#12 certificates are different from ordinary public key certificates—they can contain not only public keys but private keys, too.
This threat appears to have been distributed by spam email messages containing links to compromised websites hosting the Trojan in Italy, Hungary, Germany, and the US states of Texas and Florida. It arrives as a file with a .com filename extension such as irs-pdf-f941.irs.com, report6.com, or details.com. This is a common social engineering tactic used to trick unsuspecting users into running malware by making the filename look as if it is a link to a website.
When Infostealer.Nimkey is executed, it starts by downloading and displaying the “Form 941 for 2010: Employer's QUARTERLY Federal Tax Return” PDF from the US government's Internal Revenue Service (http://www.irs.gov/pub/irs-pdf/f941.pdf). This is another social engineering tactic employed to distract the user while the malware gets to work.
While the user is distracted, the Trojan downloads additional malware files from either a Polish, Moldovan, or Bosnian based website. One of the downloaded files is saved under the name ”alg.exe”. The other is called ”AcroIEHelper.dll” and is a browser helper object. The AcroIEHelper.dll file is activated when you start Internet Explorer. It records the URLs you access with that browser and sends this information to a server in China.
The alg.exe component searches for files called “Cert_*.p12”. (These are the PKCS#12 certificates we mentioned earlier.) Because the private keys are encrypted with a passphrase, Infostealer.Nimkey comes with a built-in keylogger that captures not only keystrokes but Windows clipboard data as well. It then posts the stolen certificates, keystrokes, and Windows clipboard data to the server via HTTP. For more details, see our writeup for Infostealer.Nimkey.
This threat has everything required to steal private key information. Anyone who possesses this information can then digitally sign their own files with the signature of a trusted software vendor. Perhaps it's your company that's going to digitally sign the next big Trojan!
As more threats steal digital certificate private keys, we are likely going to see more and more signed malware, which is unfortunately going to make digital signatures less reliable. Anyone concerned that their private key may have been compromised should contact their provider for assistance.