Slashdot Mirror
Flame Malware Hijacks Windows Update
wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how."
And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
and you thought Conficker was bad!
The security surrounding Windows Update is rather pathetic, certificate or no certificate. It's cost me many, many extra hours and headaches, while they're "hardening up" windows update, they should also make a vastly improved repair utility for it. I hate spending all that time removing a virus from a customer computer just to find out at the end that Windows Update is irreparably broken and SFC, their own fixit tool, 3rd party mass re-registration tools, and registry utilities all cannot fix it so I have to reinstall. Considering that an OS install is classified as "totaled" if Windows Update no longer works, maybe they should protect it better AND make a flawless, end-to-end reinstaller that resets it to absolute default settings and fully repairs it.
Funny thing to say about any version of Windows.
Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?
Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?
http://opencm3.net, http://www.nongnu.org/gm2/
Anyone know what this is about it's in the last paragraph "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware." Is that due to driver signing requirements?
Everyone that disagrees with me is a paid shill
Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key, stay undetected in the wild for at least 2+ years.
But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore...
OK, my notebook that still has Windows on it (out of pure laziness) has been nagging me about a security update for a couple of days, yesterday I went ahead and updated. Should I worry?
Free Martian Whores!
I don't think you're being fair. Microsoft has fixed more security holes than all the other software companies on the planet combined. And I have every faith that they will continue to fix thousands and thousands of security holes every year for a long, long time to come.
Of course, it's running Windows.
The preceding was meant tongue-in-cheek but even having said that there'll probably still be Linux/MS fanbois who want to take it seriously and start a flamewar.
Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
Damn. I knew I should have used a "/sarcasm" tag.
disable NetBIOS ?
I don't think I'm using it for anything... even my printer is set up with an IP address.
Is that due to driver signing requirements?
Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.
Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
To be fair, a malware writter could not care less if their software breaks 10-20% of the PCs it attempts to hijack.
Make MS brick 5% and the cost to them could be astronomical.
So, it is not simmetric warfare.
Why can't
If you are on a network that already features Flame, you should probably just wipe and reinstall now.
Otherwise, that security update was probably Microsoft's emergency blacklisting of the signing keys that were used to make the Flame components pass as MS-signed software...
Well, I am not an expert on the topic but there are a few things you might want to consider before you get all overexcited on that...
First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
Second, the virus seems to be activated by some kind of a human operator, and well... you are probably not important enough (read: high level nuke scientist or something)
Third, this thing is in the wild since 2010, maybe even as early as 2007, and you didnt get infected in all the updates since then (I assume), or it is to late anyway.
Fourth, you use Windows and then ask if you might catch a virus? Seriously?
Fifth, to be absolutely safe: format your HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto...
rm -rf --no-preserve-root /
You may want to build system images of important machines and just "re-image" after a virus infection. I do that with the few Windows machines we have here.
Clonezilla is fantastic for this. It's free and it make simple images that can be stored on any file share. It doesn't yet image to drives smaller than the original source machine, but I'm confident they will add that in the future. For now, I image to drives equal in size or larger.
Sure Acronis, Ghost and the like work as well, but it's hard to argue with free.
-ted
Indeed certificate revocations went out on the 3rd.
http://support.microsoft.com/kb/2718704
And as you've said, system restore 2.0 won't stop them. And malware survive? It gets worse than that, some of the more vicious ones inject themselves right into the SR backup, and edit the backed up hive. Unless you can remove it fully, you're kinda shot. Which can also mean disabling SR.
Om, nomnomnom...
I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
Microsoft issued an emergency update Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Hindsight is when something is obvious in retrospect. a paper published before the infection is not hindsight, but foresight.
That said, I love how clicking on the link to a paper about a security vulnerability leads to my browser giving a security certificate warning....
When Windows Update was introduced, the first thought to go through my mind was, "I wonder how long until someone compromises this and uses it to push out malware." It took a lot longer than I thought.
That's just not the way malware works any more.
Early viruses were great, they did something obvious like put dialog boxes on your screen, ask for cookies, wipe your hard drive, or other obvious malicious behaviour. This was a good thing because it meant that they would never really spread that far because once infected, people knew they were infected, and the infection caused enough trouble to be worth fixing.
Modern malware is a completely different beast, the goal of modern malware is to be unnoticed by the end user so as to live as long as possible in the machine, and spread to as many others as possible. usually with the goal of leeching bandwidth from these machines for use in various botnets. As such, malware that causes your machine not to boot would defeat the purpose of modern malware. a machine that isn't booted up will not join a botnet, and will not spread to other machines.
What is more likely is that the virus writers will intercept the keys used by UEFI, manage to sign their own bootloader, and still run windows in a way that the average end user can't tell the difference. this will make the virus almost impossible to remove as it will then have more access to the system than even the operating system itself does. On the bright side, once the UEFI keys are in the wild, the various free operating systems can use those same keys to sign their own bootloaders allowing people to run non-windows software in a signed way on windows only hardware (call it jailbroken...)
Only if you're a Queensryche fan.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
What's at issue is that one side doesn't fucking care that they're in one, and their responses are always reactive/responsive and half-assed.
What does Apple have to do with this story?
Thanks for taking the fun out of it.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
The US government has admitted to authorizing stuxnet. Now it looks like Flame is probably also a government authorized weapon.
My question is where did the money for the C&C servers come from? Those C&C domains were paid for with stolen credit cards and stolen identities. The same thing was used to purchase the VPSs used as the C&C servers. Why isn't there an outcry because the US government stole the identities and credit card numbers of private individuals to make these botnets? Where did they get these stolen identities? Did they use criminal means and buy them on the black market from other botherders? Did they just open their own files and roll the dice choosing people at random?
And then nuke it from orbit.
Iran is an Arab country now? Did anybody let them know? The rest of the comment is unfounded speculation and recycled nonsense. To everyone who modded "informative": doh!
Most Americans can't understand the differences between Persia and East Boise.
I think it may be better to say it is an attack targeted at specific regions or countries. Kaspersky had most of the module signatures in their database over 2 years ago and decided not to flag them as active malware. Most malware programs are small in size and spend a good deal of time trying to masquerade or hide itself from virus scanners. In Flames case it was a huge program using SQLLite and other normal business related applications to do the work. It was made to look like a normal business application which basically was hiding in plain sight that virus scanners determined harmless. The guys who built Flame and Stuxnet make Anonymous and other script kiddies look ridiculously stupid. As more and more applications get flagged as malware the only thing people will be able to actually run is the OS.
Of course. Americans are all idiots but somehow stil manage to lead the world in economic, military, and computer technology. It's a mystery.
Of course I know the difference between Persians and East Boisans. Persians have the annoying tendency to say "Bro" after every other word, drive Mercedes and threaten to cut your balls off if you even look at a Persian girl. East Boisans say "Y'all" after ever other word, drive Ford F150s and fantasize about their sisters.
Greetings from LA.
If you were me, you'd be good lookin'. - six string samurai
...Oh, wait.
OTOH, go to a network with no Windows systems, download update containing certificate revocations, and burn to CD before reinstalling and updating.
No because that was the root cert revocation that MSFT released to cancel TFA. if you are truly worried about Windows update frankly there is NO reason to run it the old fashioned way, especially when you have more than one machine as it'll just be a waste of bandwidth.
Instead just use WSUS Offline which will get the updates directly from MSFT using WGET and drop them in the folder of your choice, all nice and neat and complete with a simple .exe launcher. It can also take care of .NET, MSE updates, and MS Office from 2K3 up if you have any of those that also need updating. Its great and takes the hassle out of updating, especially on a new build but works just as well for any Windows from XP-Win 7 X64. Combine this with Ninite for third party software and frankly anybody can have a Windows system fully patched and loaded with the basics with almost zero effort.
ACs don't waste your time replying, your posts are never seen by me.
First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
I doubt it looks at keyboard drivers to decide who to infect. I know a lot of people here in the US that have Arab keyboard drivers on their computers that aren't Arab, or obviously even in the Middle East. I'm one of them. Pretty much any university student studying Arabic has an Arabic keyboard downloaded for their computer. Simply looking at that would cause the malware to spread way too far, and cause way too much collateral damage if it's intended to be a targeted attack.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
No mystery. Numbers.
Even if the bell curve is skewed in the wrong direction (I'm not saying it is but many people seem to think so) the shear number of people means that there are plenty in the population near the top end of the curve capable of great innovation and there are so many at "reasonable average" levels such there is brawn and brain power available to make innovations work for the economy and feed back into the population to complete the cycle (overpowering the effect of the agents at the lower end of the curve and/or giving them jobs that help fuel (or at least lubricate) the economy further).
Same reason China has grown so fast in recent decades: once a chunk of that massive population was actually put to useful work (from the point of view of the economy, local and global) big things started happening.
Throwing people at a hard problem is often counter productive, but throwing people at implementing the solution to a solved problem often is, so being ahead in the numbers games can be a significant advantage.
amen. I'm sure there are Russian hackers right now thinking "oh no, we can't copy Flame for our own purposes because it only attacks Arab countries".
I wonder if a Flame variant is already out there, quietly waiting to do its thing after the fuss has died down a little? If Windwos Update tries to download a special certificate hotfix from mikrosoft.ru, I'd be reinstalling the entire OS.
The climate is better in Persia and there are a lot fewer Mormons.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
I find it easier and more sane, if Windows is necessary, to run linux or BSD on the iron, and install Windows to a virtual machine while network isolated, no updates, no patches, no AV, though install all necessary applications that are otherwise actually useful, Office stuff, whathaveyou, have a mounted shared folder from the VM on the actual real HD for documents, and then zip the machine before plugging in the net cable. After every use, nuke the VM, unzip a new instance, a freshly clean install in a min. or so... If there's any concern about what's in the shared doc folder, set up a cron on the *nix side to scan it once in while... or just gmail the documents folder to yourself and let Google disinfect it... but otherwise never update the WinVM, never scan it, never let your processor do anything that isn't actually work. Wash, rinse, repeat... I just never could get the hang of Tuesdays. Though your idea is neat too... presumably you get some nice bug fixes I won't... but my way takes less steps and is far more secure... theoretically, of course. Also, I bet anything my unpatched unupdated system is much much faster and more responsive, even virtualized, than your fully patched, updated, and periodically virus scanned system is running on your bare iron. Not ideal for gaming... but this would work in any office environment well, once tweeked so office-types don't keep stumbling out of the VM and into the real system, and with a cron nuking the machine every night (or every hour) when they logout.
The Admin and the Engineer
This smells an awful lot like natural selection for biological pathogens - if one is so virulent that it kills the host at the cost of its reproductive ability, it will eventually be replaced by those pathogens that don't kill the host, but affect it as little as possible while borrowing its infrastructure. Neat.