Iran nuclear talks spyware used Foxconn certs: Kaspersky Lab
Global code-reputation system undermined as cyber-sec firm uncovers stolen-certificate ploy
The Duqu 2.0 worm, reportedly used to eavesdrop on the Iran nuclear talks, evaded detection by using genuine digital certificates issued to Chinese manufacturer Foxconn, according to Russian cyber-security specialist Kaspersky Lab.
Kaspersky Lab discovered Duqu 2.0 when it invaded its own infrastructure, and announced the infiltration earlier this week. The Register reported that the first Duqu has elements (and probably authors) in common with the Stuxnet worm, which was exposed in 2010 when it was blamed for disabling Iran's nuclear centrifuges. Both worms have been widely alleged by security specialists to be the product of a joint US-Israeli project.
Many security commentators believe Israel acted alone in the creation of Duqu 2.0, which is particularly stealthy because it hides in core memory and writes nothing to disk. It then uses up to three separate zero-day vulnerabilities to compromise a network, before relaying targeted data to remote command-and-control servers. Instances of Duqu 2.0 were found in the infrastructure of three European hotels that hosted negotiations between Iran and six world powers over the country's nuclear programme.
But while most in the cyber-security industry point to Israel, other researchers consider the case still open, as it is common for malware architects to use misdirection to disguise their hand. Mikko Hypponen, chief research officer at F-Secure gave an example: "Duqu 2.0 included several false flags: one of the drivers contains string 'ugly.gorilla' which is a reference to Comment Crew. From China."
Another sign of the sophistication of Duqu 2.0 is its use of stolen certificates. Windows systems trust Foxconn's certificates because they trust VeriSign, the issuer of the credentials. Kaspersky pointed out that the trust system behind code-signing has now been undermined, as the mere presence of a "trusted" certificate is no proof that the code to be run is clean.
Kaspersky Lab said it told Foxconn and VeriSign of its findings before making its announcement.