The new rootkit known as Stuxnet has created some interesting news in the past two weeks. The rootkit, which is not that sophisticated, uses Windows shortcut files (Windows LNK file) to execute the rootkit files from a USB drive. However, the interesting part is that the two driver files, which are part of this root kit, are signed using a digital certificate from Realtek.
This is an old trick that Trojan coders use. By signing their Trojans and malware programs with a digital certificate, their creations are seen as legitimate by antivirus scanners.
Software and hardware development companies purchase and provide code signing certificates to their employees or development teams so that legitimate applications and drivers can be signed. But these certificates are stored on the developers’ computers without additional security controls and countermeasures against possible security breaches.
It is relatively easy to extract saved digital certificates from a PC. Therefore, a disgruntle employee can extract the company code signing digital certificate and use it to sign malware in an attempt to damage the company’s reputation.
It is important to keep code signing digital certificates in a safe place with limited access. In addition, the software development companies need to take more responsibility by revoking their digital certificate when there are suspicions of a security breach or possible incident.