As an example of good disclosure that we can use to analyse our risks on new attacks come from Symantec:
Key points:Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
The executables are designed to capture information such as keystrokes and system information.
Current analysis shows no code related to industrial control systems, exploits, or self-replication.
The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
The exfiltrated data may be used to enable a future Stuxnet-like attack.
Now, Symantec are somewhat 'interested' in this disclosure, in the commercial sense, because they gain reputation and thence sell more defences to more customers. They could just shout FUD out to the world. But in this sense, the market has moved to a sense of competition on solid disclosures, as compared by competitor McAfee also putting its own analysis out there.
And, it turns out that Symantec is doubly interested as the new trojan was signed by one of their (Verisign?) certificates:
*Update [October 18, 2011] - *Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec's roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.
Still, I can't fault the disclosure: they investigated and now claim it was a good cert, stolen from the client. They revoked it the same day of being shown the code/sig.
This information is provided in a way we can RELY on it. From this we can make risk management judgements. See more here.
Posted by iang at October 20, 2011 09:29 PM | TrackBack