Posted on Leave a comment

The Flame malware WuSetupV.exe certificate chain

First of all, be sure to read Our tech report on the Flame/Flamer/TheFlame/sKyWIper Malware.

As You already know, some Microsoft certificates were abused for flame malware MiTM installation method.
But take a look on the technical details of the certificate chain.

The actual code is signed by a series of certificates:

One interesting thing is that the program file was timestamped, too:

Ok, let’s see the certificates from top to down:


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Validity
Not Before: Jan 10 07:00:00 1997 GMT
Not After : Dec 31 07:00:00 2020 GMT
Subject: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:02:bd:c1:70:e6:3b:f2:4e:1b:28:9f:97:78:
5e:30:ea:a2:a9:8d:25:5f:f8:fe:95:4c:a3:b7:fe:
9d:a2:20:3e:7c:51:a2:9b:a2:8f:60:32:6b:d1:42:
64:79:ee:ac:76:c9:54:da:f2:eb:9c:86:1c:8f:9f:
84:66:b3:c5:6b:7a:62:23:d6:1d:3c:de:0f:01:92:
e8:96:c4:bf:2d:66:9a:9a:68:26:99:d0:3a:2c:bf:
0c:b5:58:26:c1:46:e7:0a:3e:38:96:2c:a9:28:39:
a8:ec:49:83:42:e3:84:0f:bb:9a:6c:55:61:ac:82:
7c:a1:60:2d:77:4c:e9:99:b4:64:3b:9a:50:1c:31:
08:24:14:9f:a9:e7:91:2b:18:e6:3d:98:63:14:60:
58:05:65:9f:1d:37:52:87:f7:a7:ef:94:02:c6:1b:
d3:bf:55:45:b3:89:80:bf:3a:ec:54:94:4e:ae:fd:
a7:7a:6d:74:4e:af:18:cc:96:09:28:21:00:57:90:
60:69:37:bb:4b:12:07:3c:56:ff:5b:fb:a4:66:0a:
08:a6:d2:81:56:57:ef:b6:3b:5e:16:81:77:04:da:
f6:be:ae:80:95:fe:b0:cd:7f:d6:a7:1a:72:5c:3c:
ca:bc:f0:08:a3:22:30:b3:06:85:c9:b3:20:77:13:
85:df
Exponent: 65537 (0x10001)
X509v3 extensions:
2.5.29.1:
0....[.p.ir.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority......<<...>.c..@
Signature Algorithm: md5WithRSAEncryption
95:e8:0b:c0:8d:f3:97:18:35:ed:b8:01:24:d8:77:11:f3:5c:
60:32:9f:9e:0b:cb:3e:05:91:88:8f:c9:3a:e6:21:f2:f0:57:
93:2c:b5:a0:47:c8:62:ef:fc:d7:cc:3b:3b:5a:a9:36:54:69:
fe:24:6d:3f:c9:cc:aa:de:05:7c:dd:31:8d:3d:9f:10:70:6a:
bb:fe:12:4f:18:69:c0:fc:d0:43:e3:11:5a:20:4f:ea:62:7b:
af:aa:19:c8:2b:37:25:2d:be:65:a1:12:8a:25:0f:63:a3:f7:
54:1c:f9:21:c9:d6:15:f3:52:ac:6e:43:32:07:fd:82:17:f8:
e5:67:6c:0d:51:f6:bd:f1:52:c7:bd:e7:c4:30:fc:20:31:09:
88:1d:95:29:1a:4d:d5:1d:02:a5:f1:80:e0:03:b4:5b:f4:b1:
dd:c8:57:ee:65:49:c7:52:54:b6:b4:03:28:12:ff:90:d6:f0:
08:8f:7e:b8:97:c5:ab:37:2c:e4:7a:e4:a8:77:e3:76:a0:00:
d0:6a:3f:c1:d2:36:8a:e0:41:12:a8:35:6a:1b:6a:db:35:e1:
d4:1c:04:e4:a8:45:04:c8:5a:33:38:6e:4d:1c:0d:62:b7:0a:
a2:8c:d3:d5:54:3f:46:cd:1c:55:a6:70:db:12:3a:87:93:75:
9f:a7:d2:a0

Next level (2):

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3a:ab:11:de:e5:2f:1b:19:d0:56
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Validity
Not Before: Dec 10 01:55:35 2009 GMT
Not After : Oct 23 08:00:00 2016 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 1999 Microsoft Corp., CN=Microsoft Enforced Licensing Intermediate PCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:fa:c9:3f:35:cb:b4:42:4c:19:a8:98:e2:f4:e6:
ca:c5:b2:ff:e9:29:25:63:9a:b7:eb:b9:28:2b:a7:
58:1f:05:df:d8:f8:cf:4a:f1:92:47:15:c0:b5:e0:
42:32:37:82:99:d6:4b:3a:5a:d6:7a:25:2a:9b:13:
8f:75:75:cb:9e:52:c6:65:ab:6a:0a:b5:7f:7f:20:
69:a4:59:04:2c:b7:b5:eb:7f:2c:0d:82:a8:3b:10:
d1:7f:a3:4e:39:e0:28:2c:39:f3:78:d4:84:77:36:
ba:68:0f:e8:5d:e5:52:e1:6c:e2:78:d6:d7:c6:b9:
dc:7b:08:44:ad:7d:72:ee:4a:f4:d6:5a:a8:59:63:
f4:a0:ee:f3:28:55:7d:2b:78:68:2e:79:b6:1d:e6:
af:69:8a:09:ba:39:88:b4:92:65:0d:12:17:09:ea:
2a:a4:b8:4a:8e:40:f3:74:de:a4:74:e5:08:5a:25:
cc:80:7a:76:2e:ee:ff:21:4e:b0:65:6c:64:50:5c:
ad:8f:c6:59:9b:07:3e:05:f8:e5:92:cb:d9:56:1d:
30:0f:72:f0:ac:a8:5d:43:41:ff:c9:fd:5e:fa:81:
cc:3b:dc:f0:fd:56:4c:21:7c:7f:5e:ed:73:30:3a:
3f:f2:e8:93:8b:d5:f3:cd:0e:27:14:49:67:94:ce:
b9:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.311.10.6.1, 1.3.6.1.4.1.311.10.6.2
2.5.29.1:
0....[.p.ir.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority......<<...>.c..@
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6A:97:E0:C8:9F:F4:49:B4:89:24:B3:E3:D1:A8:22:86:AA:D4:94:43
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: md5WithRSAEncryption
5d:2b:68:a5:e2:da:c7:2b:5c:77:ec:ea:0e:1f:e3:8e:41:57:
60:b4:8f:3f:a2:88:d2:0f:77:1a:92:9f:37:59:bb:15:97:dc:
a8:73:56:60:87:e3:3d:bc:b4:e1:10:64:2d:c8:b8:d6:81:00:
06:89:1f:96:41:ac:05:1a:ca:78:00:d9:db:5f:b6:f9:71:87:
8e:04:7b:fa:78:f2:1e:2f:df:8b:b3:04:fe:7a:cc:ef:af:5e:
98:da:1d:ad:94:95:74:b0:d9:87:97:58:1c:4f:a4:82:c7:f9:
b3:ae:09:06:12:7e:cb:fd:22:6a:94:99:4a:c3:b9:32:44:87:
bc:bf:f7:7c:60:6c:88:cc:c0:fd:b6:5c:14:19:71:31:5f:99:
d2:db:a7:0c:9d:c2:75:9d:ba:ed:b1:88:6c:52:1b:42:5a:2d:
b0:e3:13:04:78:ff:51:d7:58:e7:18:c0:01:8c:f8:43:12:a8:
9d:8c:b5:81:f3:70:a0:ad:19:c6:e4:e4:44:e5:55:05:50:d3:
88:40:65:aa:d0:02:0e:00:4d:84:bb:6a:39:0c:6d:88:f1:1e:
d6:95:72:34:70:9b:c5:a6:6f:66:bc:94:14:df:34:ff:e4:63:
3a:93:31:13:de:a0:2c:7a:73:68:7c:0e:44:98:a0:a8:37:3e:
2e:3a:5b:22

Level 3:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:1a:02:b7:00:02:00:00:00:12
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 1999 Microsoft Corp., CN=Microsoft Enforced Licensing Intermediate PCA
Validity
Not Before: Dec 11 00:03:58 2009 GMT
Not After : Oct 23 08:00:00 2016 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 2003 Microsoft Corp., CN=Microsoft Enforced Licensing Registration Authority CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8e:98:07:ed:46:50:30:aa:8a:95:5e:36:7f:bc:
71:30:a1:1d:49:cf:e7:96:ff:2f:9a:09:16:12:f0:
98:31:55:45:52:40:63:7d:57:67:46:a2:2b:08:98:
6d:9b:c6:69:25:40:87:49:e7:01:37:84:00:1d:69:
9d:85:2f:e1:a0:2c:27:83:4c:75:60:8b:2c:eb:f9:
90:8e:5e:4a:8f:fd:d3:5b:8c:89:c8:0f:f8:cf:2e:
9f:3c:8a:3d:41:cc:b6:84:0c:9c:73:97:46:dd:52:
26:12:a5:44:8d:df:0a:50:1f:4a:79:dc:e3:19:3c:
ef:ed:82:c9:89:14:91:fd:99:69:a4:f2:8a:a6:c8:
8e:bd:38:3b:80:30:8a:59:c8:a0:ab:de:71:44:1b:
24:f9:b9:a1:8f:19:9d:fd:19:b4:69:16:17:a2:23:
31:a7:11:12:65:cd:c0:9d:78:5d:42:e5:95:8e:13:
2f:ac:f8:00:87:6e:96:ef:73:d4:0f:7e:3c:9f:81:
47:d0:1f:8f:79:1d:3c:3f:cb:ae:34:22:d6:cd:fc:
21:80:35:11:0d:a9:90:cc:55:b4:65:fc:2d:37:7d:
80:7a:97:ee:5b:4a:c5:3e:8b:03:aa:ae:4d:22:37:
66:70:84:1c:69:c5:d7:97:9a:8f:1e:3a:b2:24:84:
8f:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
B4:A1:D8:DE:FB:0E:C4:CB:9D:9F:06:CF:36:0D:91:1A:F8:9F:5B:E3
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....x8g.).k/.T..p_....
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Authority Key Identifier:
keyid:6A:97:E0:C8:9F:F4:49:B4:89:24:B3:E3:D1:A8:22:86:AA:D4:94:43

        X509v3 CRL Distribution Points:
            Full Name:
              URI:http://crl.microsoft.com/pki/crl/products/MicEnfLicPCA_12-10-09.crl
        X509v3 Extended Key Usage:
            Code Signing, 1.3.6.1.4.1.311.10.6.2
        1.3.6.1.4.1.311.2.1.10: critical
            0....).'https://www.microsoft.com/repository/CPS........This certificate incorporates by reference, and its use is strictly

subject to, the Microsoft Certification Practice Statement (CPS)
version 2.0, available in the Microsoft repository at:
https://www.microsoft.com; by E-mail at CPS-requests@microsoft.com; or
by mail at Microsoft Corp, dept. CPS,1 Microsoft Way,Redmond, WA 98052
USA Copyright (c)1999 Microsoft Corp. All Rights Reserved. CERTAIN
WARRANTIES DISCLAIMED AND LIABILITY LIMITED.

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND WILL NOT
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
THE CPS FOR DETAILS.

Contents of the Microsoft registered nonverifiedSubjectAttributes
extension value shall not be considered as accurate information
validated by the IA.
.6.4https://www.microsoft.com/repository/mscpslogo.gif
Signature Algorithm: md5WithRSAEncryption
24:ab:ed:f7:72:44:44:98:71:f6:d1:b9:b5:69:e0:ef:1c:b0:
4c:04:98:0f:bf:4c:a9:74:47:b0:84:a1:48:e2:81:b3:ea:e1:
c9:53:92:53:11:c8:45:ba:88:76:68:cd:dc:be:f3:a0:65:80:
76:d7:93:03:69:8d:c7:bc:7a:ae:89:7c:df:12:10:0a:a6:29:
a6:d4:e5:9b:55:ab:ca:ec:4b:d9:c1:28:37:d0:d6:71:38:6d:
5e:75:fd:66:ab:2a:c0:b9:24:6f:9e:42:33:0f:71:b4:6e:a6:
f7:ba:23:1a:74:ed:cd:b1:ae:0a:32:a8:5c:26:16:fa:31:76:
23:e8:a7:24:80:f1:de:45:b5:42:bd:f1:58:08:8f:e2:f2:70:
86:2e:13:83:24:de:50:88:88:c0:23:32:59:74:fa:7a:5f:73:
d7:63:bd:58:9d:c0:68:b0:53:21:71:50:45:b8:27:cf:3c:e5:
64:fb:7c:13:8b:c1:01:3e:90:d9:43:f7:3e:cc:19:16:b3:b6:
16:8f:27:7a:f9:46:ed:8a:da:e7:c5:91:c2:c8:2a:08:21:5a:
b8:7a:88:4e:a6:2a:a5:f7:ed:20:01:14:48:56:df:57:7d:6f:
bf:95:75:18:29:17:19:84:a3:13:61:54:82:c3:55:58:3d:83:
a3:90:75:aa

Level 4:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:03:73:c5:00:01:00:00:00:1a
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 2003 Microsoft Corp., CN=Microsoft Enforced Licensing Registration Authority CA
Validity
Not Before: Feb 19 21:48:39 2010 GMT
Not After : Feb 19 21:48:39 2012 GMT
Subject: DC=com, DC=microsoft, DC=extranet, DC=partners, CN=Microsoft LSRA PA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:27:32:63:50:bc:ca:67:6c:44:c2:08:0a:fb:
aa:e8:25:ff:e5:a8:f3:32:53:0b:53:af:b7:29:cc:
2c:91:34:01:f1:52:59:55:73:df:56:2c:25:ae:41:
d1:2a:de:09:d1:90:41:bf:2c:c7:6d:e6:1b:0d:5c:
1f:c4:62:06:1f:72:6a:fc:a6:d7:19:57:c1:06:42:
35:50:78:ec:6d:a2:13:b0:90:9d:0c:9d:d8:5f:b7:
bf:f0:cc:b1:a9:b8:c1:f7:b9:a9:e3:14:c6:9a:bb:
6a:8c:c8:6f:bb:c4:e6:3b:de:c3:16:25:cf:76:d4:
7c:e5:88:80:e9:4e:27:6d:b9:c6:fb:a6:6e:b0:65:
15:e3:4d:b3:1b:e9:ac:fa:87:37:8a:e9:81:d1:4e:
49:26:b8:26:72:3d:bf:cc:cb:d3:9c:55:cf:a9:2b:
4b:22:78:44:85:0b:04:ee:09:84:bb:65:c4:31:8a:
83:3b:fa:53:98:a1:fd:a1:f4:4c:71:4c:e9:15:87:
2b:13:ef:dc:d6:52:84:ed:1c:e5:35:4a:22:2c:14:
84:6b:f2:8a:ef:9b:f6:d3:75:ce:6d:0e:81:1f:6d:
df:22:ee:b3:ec:01:36:d8:ff:68:ff:4e:ba:75:d5:
4e:18:e6:b4:00:7e:b9:a3:ee:31:2e:4e:a0:0c:e5:
21:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
75:E8:03:58:5D:FB:65:E4:D9:A6:AC:17:B6:03:7E:47:AD:2E:81:AF
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Authority Key Identifier:
keyid:B4:A1:D8:DE:FB:0E:C4:CB:9D:9F:06:CF:36:0D:91:1A:F8:9F:5B:E3

        X509v3 CRL Distribution Points:
            Full Name:
              URI:http://crl.microsoft.com/pki/crl/products/MicEnfLicRegAutCA_2009-12-10.crl
              URI:http://www.microsoft.com/pki/crl/products/MicEnfLicRegAutCA_2009-12-10.crl
        Authority Information Access:
            CA Issuers - URI:http://www.microsoft.com/pki/certs/MicEnfLicRegAutCA_2009-12-10.crt
Signature Algorithm: md5WithRSAEncryption
     5c:b5:59:bb:13:8c:dc:55:00:48:24:53:8d:fe:09:69:eb:8e:
     5e:f9:79:6d:92:33:7a:f2:29:7f:61:1d:c7:fe:4c:f0:1b:5a:
     ad:ff:6c:36:bc:20:0a:03:31:6a:6e:a0:ac:6b:27:c8:99:9c:
     5d:29:80:a5:c0:61:42:2f:b5:0a:f3:2e:69:b3:6f:3e:64:e1:
     33:5b:03:7b:f1:b7:c9:24:a0:40:91:29:22:07:52:1b:52:39:
     b7:49:c8:16:f9:e2:e4:54:a7:67:47:64:86:fc:c6:cf:32:b9:
     91:49:30:66:0e:9f:a6:d7:6c:e0:48:7e:11:65:42:48:fb:0e:
     09:09:3a:aa:48:e6:ee:5c:0c:51:40:58:19:8b:4c:26:92:ee:
     c8:55:93:40:20:91:d4:dc:33:dd:d2:e6:1c:12:d6:72:bb:c0:
     ad:53:2f:f8:99:43:11:4a:6c:dc:a1:f4:0c:5a:21:b5:05:ea:
     ac:e8:50:1f:29:04:c9:81:c7:8e:95:2c:7c:72:4f:78:e9:c5:
     4c:c4:8e:c8:db:ee:09:10:7b:5b:38:c9:b3:b9:18:ad:87:f6:
     1b:98:25:da:1a:56:61:76:c9:12:7c:98:1a:06:f0:a0:86:38:
     6a:25:0f:5d:b9:1f:7f:c0:85:6a:aa:69:fb:23:91:ca:41:8a:
     0c:19:44:5c

And the final step:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7038 (0x1b7e)
Signature Algorithm: md5WithRSAEncryption
Issuer: DC=com, DC=microsoft, DC=extranet, DC=partners, CN=Microsoft LSRA PA
Validity
Not Before: Feb 19 21:48:39 2010 GMT
Not After : Feb 19 21:48:39 2012 GMT
Subject: CN=MS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:89:43:6f:c6:ca:9d:42:ad:bd:28:d5:46:49:
e0:55:f2:cc:38:e0:3d:c0:7c:ba:1d:ca:bb:92:c4:
be:4c:5f:1a:f9:d6:42:4b:34:0b:2f:8a:ac:cb:97:
31:ef:76:2f:c3:85:af:95:93:47:46:f6:ff:7c:ca:
df:c8:f9:d0:6a:ec:df:0e:91:55:23:ab:64:06:90:
d3:37:83:a8:0e:3e:5e:7f:77:35:66:74:20:87:42:
1f:25:17:8a:d5:28:05:38:05:c8:48:6d:63:76:3e:
fd:5a:11:67:07:09:6d:98:a3:08:4a:f1:11:7f:80:
a7:4e:37:d4:f0:0e:34:7a:d5:ba:83:ad:60:1e:57:
44:65:50:72:cd:af:1e:d0:1e:30:c2:eb:6a:51:e2:
aa:54:85:57:fa:9c:b1:59:e8:24:5e:d4:38:d3:56:
81:68:d5:05:8b:48:25:92:a2:11:1b:e8:51:54:d9:
d9:04:60:ee:1c:fb:6a:ec:f0:6e:38:bb:ad:da:35:
87:63:74:86:ef:1f:cd:80:92:a2:98:3a:97:9a:bd:
35:d1:7d:2e:3a:47:04:48:17:74:db:a3:67:d9:82:
78:e0:77:2c:cc:ac:39:61:a6:d8:9d:aa:fc:de:6f:
60:4c:7c:73:07:31:93:2f:67:28:4a:7e:d1:ae:4c:
42:dd
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
00:4a:ab:73:72:83:71:31:a8:04:a4:d5:27:cf:cc:5a:ca:76:
ca:67:4c:05:58:4b:b7:07:e8:94:04:86:a5:10:00:50:34:a1:
71:fe:5d:fd:9b:4b:29:7f:5c:ca:52:c7:8b:c0:7d:49:c9:8b:
23:e1:5d:f3:8a:c3:25:ab:48:07:3f:f5:f4:ef:77:dc:46:d2:
b2:97:0b:c9:7e:bb:af:29:5f:ec:de:40:2b:e8:bb:e5:12:b5:
f7:4d:71:7b:94:35:50:57:e8:fb:ee:67:f3:85:db:ed:d6:64:
78:f1:7c:71:70:75:02:17:68:66:49:bb:29:5c:e5:f2:4a:e3:
ca:dc:8c:f6:6d:62:9c:d0:5f:e6:3e:b1:e1:e5:cd:87:1d:7e:
97:e2:d8:4e:11:7b:8a:4b:56:79:9d:fb:04:ff:80:ca:01:af:
36:ac:c8:20:0e:d7:49:14:10:4f:e7:3c:64:ac:30:dd:d1:4c:
5c:35:ef:16:bf:6f:74:bb:19:fd:26:24:b1:12:c5:05:44:a9:
1f:42:6b:1f:96:0d:c9:4a:38:b5:00:8d:b3:64:fa:68:fe:d1:
aa:ce:8c:f7:20:50:d1:17:70:b3:90:85:7f:72:48:c2:d3:03:
c3:e7:bc:f4:0f:63:01:a0:71:b7:a7:ec:d6:b9:48:17:dd:a1:
43:a2:b9:96

So from http://technet.microsoft.com/en-us/security/advisory/2718704 Advisory we know
that

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

were revoked.

The exact list can be found at http://blogs.technet.com/b/srd/ as follows:

Certificate Issued by Thumbprint
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft Root Certificate Authority fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

For the certificate chain above, Level 2 certificate is the certificate referred in the latter table in row number 1. The other two certificates might have been revoked for precaution.
level 3.

Posted on 2 Comments

Duqu=Stuxnet=Stars=Tilded and it is a lego-kit

Let me answer to Takashi Toyota here. Maybe this blogpost will be corrected/edited later without notice.

The question was:

@CrySySLab @mikko Thank you for the info. “They” have dev platform called #tilded, dont they? From there many instances comming out!

In fact, this is an answer to our tweets “Duqu=Stars=Stuxnet (= #tilded) Duqu is an info stealing instance, Stuxnet is a PLC modifying, self-replicating instance.” and “Don’t think on Duqu as a traditional malware. It’s just a version of a info stealing instance of the #tilded platform.”

So the short answer is yes: Tilded-Duqu-Stuxnet-Stars is a development platform for making the right individual malware instance to the actual duty and the actual target.

For the  second part the answer is: It depends on the industry if “many instances will come out”. Our CrySyS Duqu detector is the tool that is the first step to stop the threat at all and as such it is a groundbreaking (tilded-breaking) tool. However, this is just a first step, not a final solution!

Let me explain.

  1. Why is Duqu=Stuxnet?

When we started our investigations we saw raw binary code and had only partial, local information. In the recent months we were discussing a lot and read many interesting news, and the most interesting pieces were coming from Symantec and Kaspersky (and others as well). When we published our report, we were not sure what is the real target or if the code is surely based on source code of the Stuxnet. Now we are confident that the goals of Duqu are most likely highly related to Stuxnet’s goals and that most likely the same developers are behind the code.

Moreover, we really believe that actually Duqu is not a separated project from the Stuxnet/Tilde/Duqu/Stars team, but an integrated part of a workflow. And this workflow does not produce strains or pieces of malware, but they produce modules and compile “instances” for a particular target and a particular goal.

They have kernel drivers, they have exploits, keyloggers and infostealers as (~DN1), file packers as Stars, PLC modules as for Stuxnet, RPC module, injectors, rootkit stuff, and maybe a lots of other modules. Most of them are easy to modify, or to parametrize, and easy to cooperate (compile in, download, etc.) with other modules.

As such, yes, it is a platform. It is not a development platform as it is not an API, but a bunch of modules in different versions and modifications. Most likely, it is not based on a versioning tool, such as SVN where you just checkout the latest version, it is more about the target, the goals and the ideas. Maybe some times they divert to an old version as ‘oh, in that case that idea/modification was great and it’s fit to the current target’ and such.

So we fully agree now, Duqu is not and individual malware, but part of a long story, and we also proposed not to call the individual parts (Stuxnet, Duqu, Stars – SDS), rather we should name the platform somehow. Maybe tilded is the right word, maybe not, but calling them by individual names can be misleading

  1. War of definitions and names

Duqu was called a RAT, Remote Access Torjan. However, it is not a trojan as it does not state that it will do something good. It is installed through a 0-day windows exploit, so I would not call it a trojan. It is not a virus as well. It does not self-replicate, so still, malware is the best word.

Moreover, it contains a rootkit, as it loads a driver during windows startup. But it’s goal is not a backdoor, or it is not the only goal. That’s true, but it does not infect computers all the time, it can run it’s info stealing component on some targets without infection. Then again – is Duqu a simple keylogger/infostealer? No, it’s more.

Then Duqu is not a rootkit, the rootkit part is just some tool. The info stealing component is not active all the time, moreover, it is not even included into all the Duqu infections at the first step, it is just downloaded from the C&C servers. Okay, then Duqu  is a malicious communication protocol? No, it can be, but it’s possible to use RPC to communicate with others without direct communication to the C&C server.

Why was it so important to discuss about this? To see that  Duqu at whole cannot be put in any normal categories of malware. And the reason behind this is that “Duqu at whole” simply does not exists! It is a lego-kit of modules and You can only define the goal of the individual modules, not the kit at whole.

(So we totally agree with the definition of Duqu (Tilded) to be a lego-kit recently said by Kaspersky, we already used the verb in our short 5 minutes presentation in November at the Cyber-Security conference at ZMNE, Budapest).

  1. Why additional instances won’t come out in the near future?

When we identified that Duqu is so closely related to Stuxnet, the most basic question was: Why antivirus tools failed to identify Duqu? You can extend the questin: How is it possible that no one identified Stuxnet and Duqu for such a long time. How is it possible that so many different types existed and they recognize them only recently?

We want to work on this topic, but some preliminary remarks:

-There is a reason why the code of the parts of “Tilded” are so close to each other. Efficiency. Not to rewrite everything multiple times. And more interesting: “Tilded” is a special malware as the code is tested thoroughly and contains lot of careful error handling. Do you want to completly rewrite a code? The you  have to restart testing procedures as well. Nobody likes to waste time, therefore basics remained the same for all the code produced by the team, if possible.

Simple changes were necessary and enough to avoid identification of new instances by Anti virus products, and these small changes (e.g. crypto code) were easy to test.

So why do we say that it is unlikely that the team will come out with new instances in the near future? Because if they do not change basic characteristics, these new version will be vulnerable to detections by tools such as our Duqu Detector Toolkit (will be later renamed to something more general).

We made our detector toolkit based on the basics how the Tilded/Duqu/Stuxnet tools work. Our tool does not only detect the driver by signature based techniques, but it detects the info stealer temporary files, any PNF files in the windows/inf directory which has more entropy than expected, etc.

All-in-all our Duqu detector toolkit makes it possible to detect ALL different version of the Tilded platform (Duqu, Stuxnet, who knows what) at some extent. I would not say that it will detect all the possible pieces of information, files or registry settings, but most likely our tool is able to pinpoint problems in a network weather it be 10 computers or 10.000. Again, not just Duqu, not just Stuxnet, but any intermediate instance might have signs that the detector might identify.

And it’s not just our tool. Several researchers made new tools that are not based on raw signatures, but some kind of heuristics. Check Bro, check Metasploit, check A/V vendors’ tools, and others, you can not even easily collect all the ways how people now check anomalies of the platform.

This is the reason why simple modifications on the malware platform now does not work. They need a complete re-write of the code to avoid rapid identification, or the story vanishes in time. Who knows what will come.

I should again thank for the collaboration to Kaspersky and Symantec on the topic.

  • Boldi

Editorial note

Blog entries of the Lab is a rapid way of communications. Entries have not went through the regular quality check processes and might contain errors. We modify blog entries if necessary without prior notice. The blog post is a personal disclosure and does not reflect institutional opinion.