Are hackers using Aurora-style attacks to steal software credentials?

The Stuxnet family of malware sported signed software credentials -- which could have been obtained in a sophisticated Aurora-type attack

Recent Stuxnet malware found by Belorussian antivirus company VirusBlokAda was noteworthy for the shortcut vulnerability it exploited in all versions of Windows, due to be patched today.

But the bigger problem for users and the industry may be a remarkable characteristic of two variants of the Stuxnet family: The first was code-signed using the legitimate private key of a legitimate company, Realtek Semiconductor. And then a second variant of the malware was found, also signed by a legitimate company -- this time JMicron Technology.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Pierre-Marc Bureau of ESET noted that both Realtek and JMicron have offices in Hsinchu Science Park, Taiwan. I suspect that both companies' private keys were compromised either by an inside job (such as an employee selling it) -- or by sophisticated hacking.

If it was a hack attack, we may be in big trouble. Use of a company’s private key for espionage purposes is exactly the sort of compromise I would expect to result from the ultra-sophisticated Aurora-style attacks, which were first launched against Google and others from late last year.

Back then it was reported that over 100 companies were hit by the Aurora attack, but few owned up to it publicly. Google, Adobe, and Symantec were mentioned, but very few ultimately chose to reveal they had been compromised, so we have no way of knowing which companies got nailed or what critical assets might have been stolen.

To remediate a case of hacked code-signing, ISVs first need to remove any remaining compromises, then have the certificate authority revoke any compromised keys. The problem is they may have sold a lot of software signed with those keys, so revoking them creates a huge support problem.

That leads us to an obvious question: If dozens, hundreds, or even more credentials have been stolen in Aurora-style attacks, how many Stuxnet-style exploits might use those credentials to infect machines?

This article, "Are hackers using Aurora-style attacks to steal software credentials?" was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.