It seems like we’re infested, or at least so my wife tells me. Apparently the mice are everywhere, although I haven’t seen any myself. While running the domestic Anti-Virus program last weekend – the vacuum cleaner – she came across the tell-tale signs of mice.
So I was dispatched to the stores to buy the mouse destroyer – humane version of course, because no matter how much she hates the mice, we can’t kill them! We just collect them and relocate them to the neighbours!
And the problem with mice is that you never know you have them until it’s too late. It’s only when you start to experience the consequences that you’re able to take action, and it’s always the same question from the wife – how did they get in here? It seems like having mice immediately marks you as some kind of degenerate, unfit to live anywhere near other humans.
And the same kind of applies to our IT environments. The question you often hear asked is how did those “vermin” managed to install malware in my infrastructure!
Well it seems that the “vermin” are getting smarter by the day, and the latest trick is to use valid digital certificates as part of the malware. We first saw this with Stuxnet and Zeus which both apparently used signed digital certificates as part of their attack on vulnerable systems, and now the latest addition to the list is Duqu, which apparently is “signed” with a key belonging to a company in Taipei.
Stealing valid certificates is now big business because trying to use a forged certificate, or altering a valid certificate means that the system will alert the user when the driver tries to install. And alerting users or system admins to a possible issue is not the best way to survive. It’s kind of like the mouse knocking on the door asking if they can come in – they need to be as inconspicuous as possible!
But you say that your AV will detect this. Unfortunately not because your AV is relying on detecting what it already knows about. If the malware that includes the signed driver is not a known then your AV is not going to detect it. Like the mice, your AV is taking action after detection.
Protecting Your Organisation
You can take preventative steps to significantly reduce the risk. Because these new exploits are relying on using valid digital certificates, then having the ability to detect new certificates on systems gives you the ability to act early.
But this also implies that you have and maintain an up-to-date inventory of all the keys and certificates that you already have. And this is one of the major weaknesses that the malware is exploiting. Knowing that the vast majority of organisations have absolutely no idea of where certificates are used or installed, and have no structured management of keys and certificates makes exploitation of this extremely easy.
The problem is not with Certificate Authorities, the problem lies with organisations who have not addressed the management of certificates. For example in many organisations there is no centralised management of keys and certificates, and in many cases different departments have responsibility.
So it is typical to find one group with responsibility for internal systems and a different group responsible for Internet facing systems. These groups don’t communicate, and the result is that as long as senior management continue to allow this parochial approach, the “vermin” will continue to exploit this.
So what can you do to solve the problem of “Mice and Men”
1. Don’t leave “food” lying around – Like mice, those who distribute digitally signed malware rely on the “food” provided by your systems. The number of trusted publishers or Certificate Authorities that are supported as standard in your systems varies between 600 – 1500, and any stolen certificate, issued by any of these authorities will be automatically trusted. So remove all trusted publishers except for those you actually use
2. Secure access – No matter what benefits you gain from technology, as long as people are involved in the process there is always risk. Stealing digital certificates is now big business and it becomes imperative for every organisation to protect access to private keys.
Without the private keys the certificates are useless. Private keys used with certificates must be kept secure or unauthorized individuals can access confidential information. Direct administrative access to private keys should be eliminated wherever possible.
If access is required, that access should be closely monitored to prevent the possibility of a copy of the private key being made. All private key access should be logged. Every time a system’s administrator is changed, the private key and corresponding certificate should be changed.
After all no matter how damaging it might be for you to be infected with Duqu or Stuxnet, imagine the embarrassment if you are the next “C-Media Electronics or Realtek Semiconductor Corp.” who have “supplied” the certificate to the “vermin”
3. Keep the garden tidy – Keep your certificate validity periods to a maximum of one year. In the case of Duqu, the certificate will expire in August 2012, and it would be interesting to know when it was actually issued.
Even although it has been revoked, since the certificate is still valid it will continue to be trusted by systems that are not set up to do revocation checking. But even depending on third party revocation checking is not sufficient. Organisations should be also managing revocations to ensure that you are protected, rather than relying on third parties to do this for you!
The validity period is the time window a certificate is valid and consequently the period during which you must ensure the secrecy of the certificate’s private key. So care needs to be taken to password protect private keys and that keystore passwords are changed each time a certificate and private key are replaced or renewed.
4. Close the holes – Do you know where every hole is that a mouse can enter – probably not. The mouse needs a hole about the size of a “dime” to get in. The malware is looking to hide itself among the tens of thousands of certificates in your infrastructure.
So make sure you have a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates are deployed in a variety of locations by different individuals and teams – it’s simply not possible to rely on a list from a certificate authority.
You need to find certificates that are present on a listening port such as HTTPS but also you need also need to check all ports, perform file system scans on servers and workstations, and this needs to be an on-going process so that if any “vermin” do show up, you will know and be able to act in a timely manner.
The last thing I need at home is mice in every room, and the last thing you need in your organisation is digitally signed malware on every system! Now where did I put my shotgun?