Weaponized Malware: How Criminals are Using Digital Certificates

Jeff Hudson
The recent cyber attack on an Iranian nuclear facility using the Stuxnet virus should worry all of us - not just those in close proximity who were in danger of being blown into the next world by the actions of a computer virus.

The headlines around the story of the Stuxnet attack on an Iranian nuclear facility were familiar: 'New Malware Attack." Digital security threats and sometimes the hype surrounding them have become commonplace in our interconnected and IT-dependent world. However, this was no ordinary attack. Apparently malware was introduced into the Iranian nuclear facilities local area network. It entered between the Internet and the internal network. The other possibility was a trusted insider who was an agent of the organization that carried out the attack.

As researchers later discovered, the attack used four different zero-day exploits on Windows platforms. In addition to the zero-day attacks, the "payload" included a stolen digital certificate that was issued by Verisign. The virus was self-propagating and spread to numerous machines. The mission of this virus was to auto-propagate in the wild (there was no back channel to a command and control host as this was an isolated network). It was then to locate and operate a valve or control module that was a critical part of the nuclear facility's infrastructure, with the intent of disabling or damaging the facility. In other words: to act as a weapon. This is a significant step forward in the development of malware.

The traditional, malicious approach to damaging the facility would have been to use a conventional weapon (i.e. a bomb). The astonishing difference is that this malware was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. In other words: This was malware designed specifically to accomplish the work of a weapon. It has therefore earned the dubious classification as "weaponized malware."

This particular malware is estimated to have taken 10 man-years of effort to develop. It is sophisticated. The tools used in development, the timestamps on the binaries and the number of modules with different coding styles suggest multiple development teams. The origin of the malware has not been verified but the most popular theory is that it was developed by a nation state or states that were attempting to disrupt the Iranian nuclear program.

Iran has the largest percentage of known instances of the Stuxnet virus. However, it has also been found on systems in many other countries. Experts predict that numerous, undetected instances are still active.

It is a well-established fact that many weapons developed by national military programs become available to non-nation state entities, such as terrorists, rogue nation states and criminal organizations. It is just a matter of time. Examples are: night-vision goggles, GPS systems, airborne drones, fully automatic rifles, Kevlar body armor and shoulder launched missiles, to name just a few.

The questions are: When will weaponized malware and its derivatives be used to destroy, disable or steal valuable assets and information from other nations, utilities, banks or telecommunication companies? What can we do about it?

The Stuxnet weaponized malware used multiple zero-day vulnerabilities to infect, and employed a signed digital certificate to authenticate itself in the environment. The certificate allowed the malware to act as a trusted application and communicate with other devices. This is the first reported incident of the use of a digital certificate in this type of attack, and is a very ominous and worrying development. The level of threat has moved from downtime and a damaged reputation because your certificate has expired to physical damage to you and your employees if the virus successfully makes a manufacturing or utility process go critical.

The use of four zero-day vulnerabilities and a stolen digital certificate signals the beginning of a new era of cyber warfare and cybercrime. The implications are enormous. This is not the first occurrence of this species. The Aurora virus was a first-generation variant and Stuxnet represents a significant evolutionary leap in complexity and sophistication. Additionally, the potential costs to the targeted organization in the event of a successful attack are higher than ever.

Zero-day vulnerabilities are, by definition, impossible to defend against. The use of unauthorized digital certificates by weaponized malware in a networked environment is another matter. There are steps organizations can take to significantly reduce the risk of a successful attack.

The first consideration is the knowledge of digital certificates that are active in a network. Most organizations do not know how many they have, where they are installed, who installed them, their validity and the expiration date of the digital certificates in their network. Here's a parallel analogy in the world of physical security. This is exactly the same as not knowing which people in a secure building are authorized to be on the premises and which ones are unauthorized. Imagine a bank where no one knew which people in the building were authorized to be there or not. This is not an exaggeration. This is an unacceptable situation to anyone who takes security seriously. This is an unquantified risk. The only acceptable practice is to continually and actively discover certificates on the network. 

Additionally, those certificates must be validated that they are functioning as intended and that they are monitored throughout their lifecycle so that they can be expired and replaced as dictated by the security policies of the organization. Most organizations are deficient in this regard. This is an unmanaged risk and can be easily brought under management. A failure to manage this kind of risk exposes organizations to increased vulnerabilities like the Stuxnet attack. This is not scaremongering-it is a real threat that will affect an organization sometime soon.

Why are organizations exposing themselves to this unquantified and unmanaged risk? The reason is simple enough to understand. Before Stuxnet, the lackadaisical knowledge and management of digital certificates was viewed as acceptable. Additionally, many board-level executives are not familiar with digital certificates, how they work, their role in security, and the management practices and policies. This has to change. There is not one board-level executive who misunderstands or underestimates the importance of ensuring that only authorized individuals can enter a secure building. Those same executives naively allow unauthorized or unknown certificates to enter and operate on their networks.

In summary, there is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact, poor management in some cases creates an exploitation opportunity.

The Stuxnet weaponized malware is a very loud wakeup call as it has exploited the poor management practices of digital certificates that exist in many firms today. Implementing practices and policies for the management of digital certificates is an important and necessary component of a broad and wide security strategy. It is the one strategy that can detect the appearance of malware that utilizes digital certificates for authentication. Weaponized malware has already been or will be aimed at every company in the Global 2000. The responsibility is to act before the weapon strikes.


Add Comment      Leave a comment on this blog post
Jan 11, 2011 10:01 PM Bennett Greenspan Bennett Greenspan  says:
The first line of your article makes me wonder if you understand just how tightly targeted the virus actually was. It was like a laser beam, rather then a carpet bomb. Let's try to to to a bit more objective, OK? I have read dozens of articles on this Virus and none have even remotely suggested that the actions of the virus were as dangerous as the assassination of the Iranian nuclear engineers who are actively working to nuclearize Iran, or of attempting to curtail Irans dubious pathway by actual physical means Your comments on Digital certificate management is spot on. Reply
Feb 9, 2011 2:02 AM Brian Tokuyoshi Brian Tokuyoshi  says:
The first three paragraphs point out that Stuxnet used a compromised private key to sign code that's automatically trusted by the operating system. So the core issue is how to prevent code signing keys from being stolen, or how to stop code signed by such a key. In order to prevent a Stuxnet-like attack, it seems that it would be necessary to talk about preventing a key from being stolen (using a hardened security module to prevent extraction), stopping malware from running in a secure environment (with locked down endpoints, USB port blocking, and AV software), and blocking code signed by a compromised certificate(through CRLs, OCSP, a Windows Update, or application white listing). Strong certificate management is certainly a good idea, there's no question about that. However, the issue raised by Stuxnet isn't about internally certificates managed within your own domain. It's more about what to do about all the computers around the world that automatically trust the code signed by that certificate. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.