4

I just bought a Dell Inspiron 5559 and I immediately proceeded to switch the hard drive for a fast SSD and install Windows 10 Pro from an ISO downloaded from Microsoft. Since almost everything is working just fine as Windows Updates seemed to install drivers for my hardware automatically, I have yet to install any drivers from Dell.

Since I did install the little utility Dell uses to identify the model of your computer, and recently there was major breach from Dell around this, in which they have a root certificate for everything and leaked the private key, I decided to run RCC to see if I got the bad certificate.

I don't seem to have any bad certificates from Dell, but I found this:

Number of 'interesting' items: 1 (Not part of baseline RCC1_STD_MSCTL)

92B46C76E13054E104F230517E6E504D43AB10B5: Symantec Enterprise Mobile Root for M
                       Time of insertion: 10/30/2015 07:25:53 UTC

The items highlighted above might represent a security risk. It is highly
recommended to review their purpose, and distrust them if appropriate.

After all the precautions I took to have a clean computer, how did that one got in?

Hennes
  • 64,768
  • 7
  • 111
  • 168
Pablo Fernandez
  • 10,871
  • 23
  • 67
  • 100
  • Related: http://www.ghacks.net/2015/11/25/give-your-windows-certificate-store-a-thorough-scan-for-suspicious-certs/ (But he doesn't really know either.) – StackzOfZtuff Nov 25 '15 at 13:20
  • 2
    The fingerprint on the cert matches this one though: Verisign/Symantec: [*How to install the Windows® Phone Private Enterprise Root and Intermediate certificates*](https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO20770&actp=search&viewlocale=en_US) – StackzOfZtuff Nov 25 '15 at 13:30
  • I can see that other Windows 10 machines have the same cert with an installed that matches the date of Windows 10 upgrade. – user823959 Nov 25 '15 at 21:06
  • How did it get installed, I would it got installed because you installed Symantec security software or left Symantec security software installed. – Ramhound Dec 06 '15 at 23:42

1 Answers1

-1

The Symantec certificate is extremely suspicious, as it is listed in the 'Hacking Team' leak and it is being used to sign malware files:

wikileaks.org/hackingteam/emails/emailid/522525

https://www.hybrid-analysis.com/sample/8b39869677879158103ac56303f8466f493bc8859bcddd774ea98ac046c560f8 https://www.hybrid-analysis.com/sample/0d102760dfa18929779a80f56c2e8bb530874618e75989502c2712d36a23c75f

pedump.me/96da0a4144d620f60f608d73f9f6c8da/#signature

In fact, it comes by default on Windows 10 but it is not listed as trusted root certificate:

support.microsoft.com/es-es/kb/293781

rooterx
  • 1
  • This is not an answer to the question. If you have an answer, please edit your post to include those details. Once you have sufficient (50) reputation, you will be able to comment on any post. – Ben N Dec 07 '15 at 01:02