SSL certificates published in Mandiant's APT1 report

Question

You probably heard about excellent report "APT1: Exposing One of China's Cyber Espionage Units" published by the Mandiant company (you can download it here). Report is great and I recommend it to anyone interested in computer security.

Together with the report Mandiant published SSL certificates used in communication between APT1 malware and it's C2 (command & control) servers in appendix F. However, the published certificates are in text format like this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Some-State, O=www.virtuallythere.com, OU=new, CN=new
Validity
Not Before: Oct 23 03:25:49 2007 GMT
Not After : Oct 22 03:25:49 2008 GMT
Subject: C=US, ST=Some-State, O=www.virtuallythere.com, OU=new, CN=new
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ee:48:13:76:f1:76:4b:6a:fe:6d:8c:5e:60:44:
19:b1:0a:b1:9e:bb:63:80:8f:c8:43:c8:73:ae:77:
4e:16:01:4e:8f:88:f8:a2:8c:4d:2e:b2:3d:6b:bd:
2e:cc:1b:b0:c3:5d:d6:a6:bc:1e:1a:31:b2:27:84:
64:9c:0b:b7:1e:b0:5e:82:96:e8:71:f6:ca:95:cf:
e1:40:bd:45:05:94:25:74:a0:90:ce:61:b9:8e:ba:
ed:aa:62:d4:10:79:68:eb:fb:31:63:0c:7b:11:2d:
8f:cf:57:a8:c4:6c:fd:77:c4:04:f5:46:84:e4:24:
c6:fe:dc:3a:06:9c:3e:ed:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1B:C5:98:18:EB:D2:1F:3A:5B:F9:07:E0:BF:4E:C5:59:9E:FD:51:29
X509v3 Authority Key Identifier:
keyid:EA:D7:8A:29:DB:FB:0A:0C:C0:85:B3:BA:8A:C3:D7:80:95:26:11:90
DirName:/C=US/ST=Some-State/O=www.virtuallythere.com/OU=new/CN=new
serial:F2:1E:60:49:18:68:08:B6
Signature Algorithm: sha1WithRSAEncryption
b8:2c:50:58:a8:29:ce:d1:f3:02:a3:0c:9b:56:9f:45:24:f1:
48:d3:53:88:d7:2e:61:67:aa:08:e4:7d:d5:50:62:ae:00:d5:
1a:91:61:01:94:5e:ab:62:e8:53:a5:0d:6a:f4:41:81:ee:2b:
60:8d:e2:a6:3a:12:2d:aa:08:a5:5a:f4:d2:9e:b2:43:38:57:
f1:c1:45:54:33:d1:05:8c:e4:37:ad:00:a8:b3:92:3f:2d:21:
a0:20:ea:0f:48:05:9f:2a:2c:88:da:eb:8b:12:bb:1d:73:85:
4d:be:

What I believe is not very "workable" format: I would like to implement a script to check my network for APT1 certificates, but to do it I would need certificate in PEM format or at least fingerprints (sha1, md5) of certificate to automate process of detecting these certificates in my network.

Is there any way to convert certificate in format as above to PEM format or at least a way to calculate sha1 fingerprint for the cert?

I found this, which suggest that such conversion is cubersome and complicated. Do you agree? Does requesting Mandiant to release certificates in other (PEM) format is my best bet here?

Answer 1

You cannot, generically, reliably rebuild the base certificate from which such a report was generated (apparently with the OpenSSL command-line tool). For instance, you have the string contents of the Issuer and Subject names, but not the information about how they were encoded.

You could use the signature as a discriminant for the certificates. You won't find a "normal" certificate with the exact same signature value (it is possible to build a fake certificate which contains the same signature, but you have to do it on purpose).

If you know the public key of the certificate which was used to issue this specific certificate, then you could use the public key to do the first steps of the signature verification, yielding the SHA-1 hash of the "To Be Signed" (that's a feature of PKCS#1 RSA signatures: this is an algorithm "with recovery": from the signature and the public key, you can obtain a hash of the data which was signed). With that hash, you could test whether a putative reconstruction of the certificate is correct or not. But this is hard work. If you just want to check whether a given certificate is one of the certificates in the Mandiant report, extract the signature field (e.g. with OpenSSL) and look it up in the lists published by Mandiant.