Possible New Rootkit Has Drivers Signed by Realtek

ID THREATPOST:52B3266D20A8664780667A0A83CEE7D1
Type threatpost
Reporter Dennis Fisher
Modified 2018-08-15T12:24:22


Security researchers have identified a new suspicious program that is copying itself to PCs via USB mass storage devices and is digitally signed with the certificate of Realtek Semiconductor, a major manufacturer of computer products based in Taiwan.

The program, known as Stuxnet, looks like a somewhat standard-issue piece of malware, with a couple of key exceptions. Stuxnet uses an LNK file to launch itself from infected USB drives onto
PCs. LNK files are used by Windows programs as a shortcut or reference
to an original file, and this is thought to be the first instance of a
piece of suspected malware using a LNK file to infect machines.. Secondly, and far more worrisome, is the fact that the two drivers associated with the Trojan are digitally signed with the Realtek certificate.

“However, sometimes cybercriminals do somehow manage to get their
hands on their very own code signing certificate/ signature. Recently,
we’ve been seeing regular instances of this with Trojans for mobile
phones. When we identify cases like this, we inform the appropriate
certification authority, the certificate is revoked, and so on,” Aleks Gostev of Kaspersky Lab said in a blog post on the Trojan. “However, in the case of Stuxnet, things look very fishy indeed.
Because the Trojan isn’t signed with a random digital signature, but the
signature of Realtek
, one of the biggest producers of computer equipment.

“Recalling a certificate from a company like this simply isn’t
feasible – it would cause an enormous amount of the software which
they’ve released to become unusable.”

Upon execution, Stuxnet creates two drivers on the compromised machine, called mrxcls.sys and mrxnet.sys. The drivers are used to mask the malware on both the USB drive and the infected PC. Those two drivers are signed using the certificate of Realtek. The program doesn’t seem to do anything else malicious after it’s on a new machine, although it will copy itself to other USB drives attached to the PC.

A check of the certificate’s validity with VeriSign, the certificate’s issuer, shows that it is indeed legitimate. One of the problems that digitally signed malware files such as Stuxnet present is that they’re often trusted implicitly by security programs, so they’re allowed to pass by with no problems. And in some cases the security software may whitelist any digitally signed files as a matter of course.

The Stuxnet Trojan was discovered in mid-June by an antimalware company in Belarus called VirusBlokAda. The certificate for the Trojan was valid through June 10 and Stuxnet’s drivers were signed in late January. It was about a week after the certificate expired that the antimalware community first saw Stuxnet in the wild.

Gostev said that one possible explanation for the digitally signed drivers is that they’re legitimate components of the software on a USB drive that have characteristics of a rootkit. The new Trojan is currently confined to machines in India, Iran and Indonesia.


“Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp
files in the root of the storage device. But that doesn’t mean the
driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology,” he wrote.

Realtek did not respond to a request for comment.