Flame malware subverts Windows Updates, infects networked PCs

[nsane.forums]

It's hard to patch a machine when the update mechanism is compromised.

The certification path of the certificate used to sign WuSetupV.exe, which masquerades as a legitimate Windows Update from Microsoft.

The Flame espionage malware targeting Iranian computers contains code that can completely hijack the Windows update mechanism that Microsoft uses to distribute security patches to hundreds of millions of its users, security researchers said Monday.

Flame components known as "Gadget" and "Munch" allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware, Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. By exploiting weaknesses in Microsoft's Terminal Server product—and poor key-management decisions made by Microsoft engineers—the Flame architects were able produce cryptographic seals falsely certifying that their malicious wares had been produced by Microsoft.

Microsoft issued an emergency update on Sunday that added three certificate authorities to its list of untrusted certificates, but it's unclear how useful such measures will be at repairing the damage. Company officials have yet to acknowledge the susceptibility of the update process or to provide guidance for customers whose networks may already be compromised. A representative with Microsoft's outside PR firm told Ars that Microsoft "doesn't have anything further to share at this time," and referred reporters to a series of blog posts that didn't address these unanswered questions.

According to Kaspersky's Gostev, Flame attackers have been using the same fraudulent Microsoft certificates to spoof the company's widely used Windows update mechanism. Other researchers quickly weighed in on the enormity of the attack.

"Having a Microsoft code signing certificate is the Holy Grail of malware writers," Mikko Hypponen, chief research officer of antivirus provider F-Secure, blogged on Monday. "This has now happened."

A separate blog post published Monday by Symantec researchers further catalogs the enormous data collection capabilities of Flame. The sheer breadth of functionality and size sets it apart," Symantec researchers wrote. "Even describing it as an industrial vacuum cleaner does not do it justice."

The flame modules are able to bypass the legitimate Windows update by setting up a fake server named MSHOME-F3BE293C on networks that host an infected machine. When machines attached to the network run software that advertises itself as an official Microsoft update, the fake server delivers the Flame malware instead, causing those machines to also become infected.

Right now, Microsoft is using its emergency update process to push a patch that mitigates a Windows threat that can hijack the emergency update process. No doubt, end users should install the patch as soon as possible. But it's naive to think this out-of-band fix will repair the damage done to networks already hit by Flame, at least until Microsoft representatives provide additional guidance.

View: Original Article

[visualbuffs]

wat the hell this malware was!!!

[DKT27]

wat the hell this malware was!!!

Is. :rolleyes:

Guess who has written this malware. -_-

[myidisbb]

is there anyway for us others to turn your blinking avator off?

[Dodel]

@ myidisbb, not ideal I know but I added the avitar to adblock (yes I have allowed the rest of nsane to run through adblock).

Regards

Dodel

[dcs18]

@ myidisbb, not ideal I know but I added the avitar to adblock (yes I have allowed the rest of nsane to run through adblock).

Regards

Dodel

I've been doing that to all his avatars. :sneaky:

[Ambrocious]

The US Government, in absolute cooperation with Microsoft has built in back doors by default into Microsoft's operating systems. This virus wasn't suppose to be public knowledge because it is a big cyber weapon of surveillance. This is probably affecting ALL Microsoft based systems as of right now. Why is it being exposed right now? Probably because they have already created 5 other mystery viruses that are being deployed and also, they can't deny the existence of this one anymore.

.

[DKT27]

This is probably affecting ALL Microsoft based systems as of right now.

Right now, reports have come that it has only infected a 1000 odd computers, with most of them being on Middle East side.

And I don't know, I do think it's U.S. govt's job, but I don't think they'll ever use a fake certificate, they'll rather ask for a real certificate from M$. Instead, M$ has themselves come out in public and have rejected that certificate from the windows.

I know there has always been a story about U.S. implanting a backdoor on all the Windows OSs, but that should be taken with a handful of salt.

[morteza]

vow that's so implicate. :huh: What the hell that? the most infected systems are in my country.

[SnakeMasteR]

Microsoft will patch it! You are secure! :troll:

[visualbuffs]

Flame malware subverts Windows Updates, infects networked PCs

Flame or Flamer, an admittedly sophisticated piece of malware, appears to have more tricks up its sleeve than security researchers had initially believed. Security firm Kaspersky has discovered that the virus turns infected PCs into Windows Update servers which may then fool uninfected PCs into downloading and installing Flame.

The multi-phase attack begins with an infected Windows PC laced with illegitimate security certificates -- certs which appear to be digitally signed by Microsoft. Patient zero then advertises itself across the network as an proxy server, funneling Internet traffic through itself and cementing its man-in-the-middle role. Other Windows computers discover the infected computer and begin automatically using it as a proxy. When those unsuspecting PCs begin to download and install their regularly scheduled Windows Updates, the false proxy server substitutes requests for legitimate updates with its own versions -- packaged installers for Flame.

To spread across a network, Flame relies on "automatically detect [proxy] settings" being active, an option found Control Panel > Internet Options > Connections. Unfortunately, this option is enabled automatically on most default Windows installs unless explicitly disabled by the user or through group policies.

Although clever and obviously dangerous, there's little need for panic just yet. Flame continues to be isolated in the Middle East and purposefully so, experts believe. The virus also further narrows its scope by targeting government networks, meaning everyday Internet citizens should be safe, at least for the moment.

It is unlikely that you are the target of Flamer unless you are an official in a Middle Eastern government or working on weapons research for such a government. Flamer is not “out there” on the Internet right now, spreading from country to country. You are not likely to find Flamer attached to an email in your Outlook Inbox (USB flash drives seem to be Flamer’s infection vector of choice). And if you are using a good antivirus product it is now protecting you from Flamer. The major AV products were quickly updated to detect Flamer and the better ones will now have generic detection of malware that has “Flamer-like” characteristics.

Even though Flame may itself remain in isolation due to apparent political motivations, don't be surprised if other virus writers try to capitalize the ingenuity displayed by Flame's numerous modules.

Fooling Windows Update on a PC is no trivial matter but Flame's designers managed to do something that no other malware creator has been known to do thus far -- make a illegitimate certificate which Windows wholeheartedly believes is signed by Microsoft. This has long been the

holy grail of malware writers

, according to F-Secure and it brings with it some potentially scary consequences. This ability of Flame is key to its seamless subversion of Windows Update.

Source