Slashdot Mirror
Flame Malware Hijacks Windows Update
wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how."
And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
The security surrounding Windows Update is rather pathetic, certificate or no certificate. It's cost me many, many extra hours and headaches, while they're "hardening up" windows update, they should also make a vastly improved repair utility for it. I hate spending all that time removing a virus from a customer computer just to find out at the end that Windows Update is irreparably broken and SFC, their own fixit tool, 3rd party mass re-registration tools, and registry utilities all cannot fix it so I have to reinstall. Considering that an OS install is classified as "totaled" if Windows Update no longer works, maybe they should protect it better AND make a flawless, end-to-end reinstaller that resets it to absolute default settings and fully repairs it.
A lot of people are predicting poor sales for Win8 because they dislike Metro; but there is probably going to be more visibility of the new "reset" capabilities of Windows 8, now that malware authors have raised their game to a new level.
Anyone know what this is about it's in the last paragraph "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware." Is that due to driver signing requirements?
Everyone that disagrees with me is a paid shill
OK, my notebook that still has Windows on it (out of pure laziness) has been nagging me about a security update for a couple of days, yesterday I went ahead and updated. Should I worry?
Free Martian Whores!
Parent post points out what I thought was the most interesting part of the article, that a cryptographic collision attack was used to generate the fake certificate. We've seen multiple articles here about researchers using cryptographic collision attacks against certain ciphers, but, aside from the story about GnuPG short IDs that were only 32 bit hashes, this is the first time I can recall hearing that one was used in the wild against a real security system. Now maybe people will pay attention to what those researchers were saying...
The US government has admitted to authorizing stuxnet. Now it looks like Flame is probably also a government authorized weapon.
My question is where did the money for the C&C servers come from? Those C&C domains were paid for with stolen credit cards and stolen identities. The same thing was used to purchase the VPSs used as the C&C servers. Why isn't there an outcry because the US government stole the identities and credit card numbers of private individuals to make these botnets? Where did they get these stolen identities? Did they use criminal means and buy them on the black market from other botherders? Did they just open their own files and roll the dice choosing people at random?
Flame is using tech that is not Stuxnet-related... this is beyond Israel's and the US's not-so-secret war with Iran. This code means that no Windows machine in the world that uses MS updating will ever be trustworthy... unless you apply a huge dose of collective amnesia and shoulder-shrugging denial.
Question: is there a collusion between some dark back office at MS and the spooks, thru which the spooks get digitally signed certificates? Is the "bug" intentional? MS and Apple have been quietly cooperating with the FBI, NSA and the spooks almost since day one... how much? Are we just seeing the corner of the machine?
Is Linux or BSD safe? I don't mean from a man-in-the-middle attack; I mean a man-under-your-feet attack. What if chip or mobo makers install cracks in the hardware itself, on the order of US (and Chinese) spooks? I don't think we can trust the hardware made in the last ten years or so. We may have to go to printing our mobos someday - and how then would you trust the mobo designs didn't have backdoors in their software, somehow, or in updateable firmware?
Iran should have known better, how, and how would they get around using Windows even if they wanted to - the equipment they buy is welded to Microsoft. I doubt there are many open sourced centrifuge software packages.