Realtek Digital Certificates Accompany Malware
Sunday, November 14, 2010
Lethic botnet malware is now being discovered with signed digital certificates from a Taiwanese company, Realtek Semiconductor Corp.
The certificates are similar to those that accompanied the Stuxnet virus that has been targeting SCADA systems for several months, most notably power facilities in Iran and India.
There is no evidence that Realtek is authorizing the use of the certificates, and researchers speculate that criminal cyber gangs responsible for the Lethic malware are simply using unverified forgeries.
By contrast, Stuxnet was accompanied by verified signed digital certificates.
Mike Geide of Zscalar, the security company who first noted the use of the Realtek certificates, is hopeful that the Lethic forgeries will lead to the identification of the parties responible for the spam distributing botnet.
"While this is not a digital signature - it is still identifying info that may be able to tie certain malware samples to the same author / group / or binary builder," Geide wrote.The presence of verified and unverified signed digital certificates is alarming, as it undermines confidence in systems designed to prevent the spread of malicious code.
Source: http://www.theregister.co.uk/2010/11/12/lethic_bot_digital_cert_ploy/
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MPEG2Demultiplexer
Value name: WriteCaptureDir
Value: c:\dm.capture\
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/MPEG2Demultiplexer contains an invalid path c:/dm.capture/
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\Namespace
Value name: LocalDelta
Value: C:\Users\Batman\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSD.XML
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows Media/WMSDK/Namespace contains an invalid path C:/Users/Batman/AppData/Local/Microsoft/Windows Media/12.0/WMSDKNSD.XML
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Media\WMSDK\Namespace
Value name: RemoteDelta
Value: C:\Users\Batman\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSR.XML
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows Media/WMSDK/Namespace contains an invalid path C:/Users/Batman/AppData/Local/Microsoft/Windows Media/12.0/WMSDKNSR.XML
Scan subsection: User software settings
Entries found: 11
Entries:
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard\Native Media Players\QuickTime Player
Value name: ExePath
Value: C:\Program Files (x86)\Qui
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Keyboard/Native Media Players/QuickTime Player contains an invalid path C:/Program Files (x86)/Qui
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Value name: 1
Value: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ComDlg32/FirstFolder contains an invalid path C:/Program Files (x86)/Windows Live/Mail/wlmail.exe
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Value name: 2
Value: C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ComDlg32/FirstFolder contains an invalid path C:/Program Files (x86)/Windows Live/Photo Gallery/WLXPhotoGallery.exe
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Value name: 8
Value: C:\Program Files (x86)\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ComDlg32/FirstFolder contains an invalid path C:/Program Files (x86)/Norton Internet Security/Engine/18.1.0.37/ccSvcHst.exe
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Live\Movie Maker
Value name: RenderProfile
Value: C:\Program Files (x86)\Windows Live\Photo Gallery\Video Profiles\PublishToFileDVDMaker.prx
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows Live/Movie Maker contains an invalid path C:/Program Files (x86)/Windows Live/Photo Gallery/Video Profiles/PublishToFileDVDMaker.prx
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Live\Movie Maker\Recent
Value name: J
Value: C:\Users\Batman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\54U5LYT7\My_Movie-3[2].wlmp
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows Live/Movie Maker/Recent contains an invalid path C:/Users/Batman/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/54U5LYT7/My_Movie-3[2].wlmp
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites
Value name: SlicePath
Value: C:\Users\Batman\Favorites\Links\Suggested Sites.url
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Internet Explorer/Suggested Sites contains an invalid path C:/Users/Batman/Favorites/Links/Suggested Sites.url
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Value name: Local Page
Value: C:\Windows\system32\blank.htm
Reason: The value PackagePath in HKEY_CURRENT_USER/SOFTWARE/Microsoft/Internet Explorer/Main contains an invalid path C:/Windows/system32/blank.htm
Entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MPEG2Demultiplexer
Value name: WriteCaptureDir
Value: c:\dm.capture\
Comments
Post a Comment