Researchers Explain How Flame Fakes Windows Update

By Gregg Keizer, 5-Jun-2012

Bogus certificates key, but espionage malware also spoofs Microsoft's update service on a network

As we continue our investigation ... more and more details appear [that show] this is one of the most interesting and complex malicious programs we have ever seen Alexander Gostevleads Kaspersky's research and analysis team

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft's Windows Update mechanism.

Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?

Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company's Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates "signed" by Microsoft.

Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

"Hijacking Windows Update is not trivial because updates must be signed by Microsoft," noted Symantec on Monday in one of a series of blog posts its researchers have written about Flame.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame's development and attacks.

Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure's chief research officer and the first to announce that Flame was abusing Windows Update, called the feat "the Holy Grail of malware writers" and "the nightmare scenario" for antivirus researchers.

But as both Symantec and Kaspersky pointed out, Flame doesn't actually compromise Windows Update. It doesn't somehow infiltrate Microsoft's service -- and servers -- to force-feed malicious files to unsuspecting users.

A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE)

Instead, a Flame-infected Windows PC can, in some situations, make other machines on a network believe it's Windows Update.

A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE). Flame claims to be the WPAD (Web Proxy Auto-Discovery Protocol) server -- a system that provides proxy settings to copies of IE on the network -- and sends a malicious WPAD configuration file to the requesting PC.

As Symantec noted, WPAD hijacking is not new and is, in fact, part of many hacker toolkits.

The rogue WPAD configuration file modifies the victimized machine's proxy settings so that all Web traffic is routed through the Flame-infected system. On that PC, Flame's Web server, dubbed "Munch" kicks in, detects when the requested URL matches Windows Update's and in return sends a downloader disguised as a legitimate update from Microsoft.

To complete the ruse, the downloader was one of several compressed files -- crunched into the "cabinet," or ".cab" file format -- bundled into the single Windows Update.

Once the downloader was installed it retrieved a copy of Flame from the already-infected PC and uses it to compromise the computer.

This complex spreading technique only added to researchers' grudging respect for the threat.

"As we continue our investigation ... more and more details appear [that show] this is one of the most interesting and complex malicious programs we have ever seen," said Alexander Gostev, who leads Kaspersky's research and analysis team, in a Monday blog entry.

Microsoft has revoked three certificates generated by the attackers, making further spoofing of Windows Update files impossible on patched PCs unless there are more rogue certificates in the wild. The company has also blocked others from cranking out new code-signing certificates.

Source: Computerworld (US)

LATEST NEWS

  • AMD may Build ExactTrak Data-zapping into its Chips, to Compete with Intel vPro

    AMD said Thursday that it signed a deal with ExactTrak to embed the security company's technology inside its microprocessors. While no new products accompanied the announcement, the deal leaves open the possibility that AMD-based PCs could be remotely zapped--yes, literally--by users or network administrators.

  • Intel to Close $15 bn (about Rs 90,000 crore) Deal to buy Altera

    California based global tech giant, Intel, is set to close a deal to buy fellow chip maker Altera Corp. for about $54 (about Rs 3,480) per share, 15 percent more than Altera’s closing share price on Thursday, $47 (about Rs 2,620).

  • Server Sales Bolstered by Cloud Expansions

    Server vendors recorded the strongest shipment growth in over four years for the first quarter, mainly driven by continued investments in the hyperscale server infrastructures that power public and private clouds.

  • Salesforce Doubles Down on Big Data with New Analytics Tool

    All the data "lakes" in the world won't amount to much if you can't figure out what they mean for your business. With that in mind, Salesforce on Thursday unveiled Salesforce Wave for Big Data, a new tool designed to help business users make sense of their information stores using the Salesforce Analytics Cloud.

More news »