Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flame Malware Hijacks Windows Update

Posted by timothy on from the trustworthy-computing-of-course dept.

wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how." And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."

20 of 268 comments (clear)

  1. whoops by gbjbaanb · · Score: 4, Insightful

    and you thought Conficker was bad!

    1. Re:whoops by devjoe · · Score: 5, Interesting

      Parent post points out what I thought was the most interesting part of the article, that a cryptographic collision attack was used to generate the fake certificate. We've seen multiple articles here about researchers using cryptographic collision attacks against certain ciphers, but, aside from the story about GnuPG short IDs that were only 32 bit hashes, this is the first time I can recall hearing that one was used in the wild against a real security system. Now maybe people will pay attention to what those researchers were saying...

  2. While they're at it by slashmydots · · Score: 5, Interesting

    The security surrounding Windows Update is rather pathetic, certificate or no certificate. It's cost me many, many extra hours and headaches, while they're "hardening up" windows update, they should also make a vastly improved repair utility for it. I hate spending all that time removing a virus from a customer computer just to find out at the end that Windows Update is irreparably broken and SFC, their own fixit tool, 3rd party mass re-registration tools, and registry utilities all cannot fix it so I have to reinstall. Considering that an OS install is classified as "totaled" if Windows Update no longer works, maybe they should protect it better AND make a flawless, end-to-end reinstaller that resets it to absolute default settings and fully repairs it.

    1. Re:While they're at it by slaker · · Score: 4, Informative

      I get a lot of mileage out of Windows Repair Portable. It restores settings for a large number of issues that don't have a regular, non-painful reset/repair/reinstall option. I've found it particularly handy for fixing the Windows Firewall and Windows updates.

      I'd prefer to do a reinstall under almost all circumstances of malware infection, but that's not always an option available for home or small business systems. I particularly dislike having to rely on Windows System Restore. I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
    2. Re:While they're at it by Anonymous Coward · · Score: 5, Informative

      Who repairs a windows install? Really, it's not worth anybody's time. If you're qualified enough to remove a modern rootkit with any real guarantee of future security, then the value of your time spent removing said infection is more than the total cost of a new PC. Not even remotely kidding.

      Installing windows while recovering user data is fast and easy. Modern rootkits are too good. The only reasonable course of action when you have an infection is wipe and install. - Make sure you clean the boot sector! (It's not a bad idea linux boot cd/usb flash drive and dd zeros over the first few megabytes of the drive. This will wipe out the boot sector, partition table/disk label/whatever, and any other places low level nasties generally reside. Plus, your OS installer will see a nice fresh unused drive and will feel free to lay down new partitions as it sees fit, and will not be tempted to do anything stupid like attempt a repair or upgrade)

  3. Windows? Impervious? by dragisha · · Score: 4, Insightful

    Funny thing to say about any version of Windows.

    Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?

    Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?

    --
    http://opencm3.net, http://www.nongnu.org/gm2/
    1. Re:Windows? Impervious? by Catbeller · · Score: 4, Interesting

      Flame is using tech that is not Stuxnet-related... this is beyond Israel's and the US's not-so-secret war with Iran. This code means that no Windows machine in the world that uses MS updating will ever be trustworthy... unless you apply a huge dose of collective amnesia and shoulder-shrugging denial.

      Question: is there a collusion between some dark back office at MS and the spooks, thru which the spooks get digitally signed certificates? Is the "bug" intentional? MS and Apple have been quietly cooperating with the FBI, NSA and the spooks almost since day one... how much? Are we just seeing the corner of the machine?

      Is Linux or BSD safe? I don't mean from a man-in-the-middle attack; I mean a man-under-your-feet attack. What if chip or mobo makers install cracks in the hardware itself, on the order of US (and Chinese) spooks? I don't think we can trust the hardware made in the last ten years or so. We may have to go to printing our mobos someday - and how then would you trust the mobo designs didn't have backdoors in their software, somehow, or in updateable firmware?

      Iran should have known better, how, and how would they get around using Windows even if they wanted to - the equipment they buy is welded to Microsoft. I doubt there are many open sourced centrifuge software packages.

  4. TFA says Win 7 64 bit not vulnerable? by Megor1 · · Score: 5, Interesting

    Anyone know what this is about it's in the last paragraph "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware." Is that due to driver signing requirements?

    --
    Everyone that disagrees with me is a paid shill
    1. Re:TFA says Win 7 64 bit not vulnerable? by Anonymous Coward · · Score: 5, Informative

      Anyone know what this is about it's in the last paragraph
      "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware."

      Is that due to driver signing requirements?

      "Hardware-based DEP (Data Execution Protection), for example, is turned on for all 64-bit processes. Kernel Patch Protection (a.k.a. PatchGuard) protects access to internal operating system data structures. And device drivers must be digitally signed with a certificate issued by a trusted certificate authority. Finally, none of the large body of malware written as 32-bit drivers or any 16-bit code will run at all on 64-bit Windows."

      http://securitywatch.pcmag.com/malware/284281-is-64-bit-windows-safer-than-32-bit

  5. Re:Looks good for Windows 8 sales by gQuigs · · Score: 5, Insightful

    Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key, stay undetected in the wild for at least 2+ years.

    But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore...

  6. Re:As Microsoft continues its effort to keep its u by NoNonAlphaCharsHere · · Score: 5, Funny

    I don't think you're being fair. Microsoft has fixed more security holes than all the other software companies on the planet combined. And I have every faith that they will continue to fix thousands and thousands of security holes every year for a long, long time to come.

  7. Re:whoops; ASK SLASHDOT... by The+Mighty+Buzzard · · Score: 4, Funny

    Of course, it's running Windows.

    The preceding was meant tongue-in-cheek but even having said that there'll probably still be Linux/MS fanbois who want to take it seriously and start a flamewar.

    --
    Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
  8. Driver signing is about DRM, not security by Myria · · Score: 5, Informative

    Is that due to driver signing requirements?

    Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.

    Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  9. Re:whoops; ASK SLASHDOT... by Razgorov+Prikazka · · Score: 5, Funny

    Well, I am not an expert on the topic but there are a few things you might want to consider before you get all overexcited on that...
    First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
    Second, the virus seems to be activated by some kind of a human operator, and well... you are probably not important enough (read: high level nuke scientist or something)
    Third, this thing is in the wild since 2010, maybe even as early as 2007, and you didnt get infected in all the updates since then (I assume), or it is to late anyway.
    Fourth, you use Windows and then ask if you might catch a virus? Seriously?
    Fifth, to be absolutely safe: format your HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto...

    --
    rm -rf --no-preserve-root / ...and let /dev/null sort them out...
  10. Sell them system images by zerofoo · · Score: 4, Informative

    You may want to build system images of important machines and just "re-image" after a virus infection. I do that with the few Windows machines we have here.

    Clonezilla is fantastic for this. It's free and it make simple images that can be stored on any file share. It doesn't yet image to drives smaller than the original source machine, but I'm confident they will add that in the future. For now, I image to drives equal in size or larger.

    Sure Acronis, Ghost and the like work as well, but it's hard to argue with free.

    -ted

  11. Re:Looks good for Windows 8 sales by Mashiki · · Score: 4, Informative

    Indeed certificate revocations went out on the 3rd.
    http://support.microsoft.com/kb/2718704

    And as you've said, system restore 2.0 won't stop them. And malware survive? It gets worse than that, some of the more vicious ones inject themselves right into the SR backup, and edit the backed up hive. Unless you can remove it fully, you're kinda shot. Which can also mean disabling SR.

    --
    Om, nomnomnom...
  12. Certificate was revoked by an emergency patch by VGPowerlord · · Score: 5, Informative

    I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
    Microsoft issued an emergency update Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  13. Re:Wait until someone does the same with UEFI by green1 · · Score: 5, Insightful

    That's just not the way malware works any more.
    Early viruses were great, they did something obvious like put dialog boxes on your screen, ask for cookies, wipe your hard drive, or other obvious malicious behaviour. This was a good thing because it meant that they would never really spread that far because once infected, people knew they were infected, and the infection caused enough trouble to be worth fixing.
    Modern malware is a completely different beast, the goal of modern malware is to be unnoticed by the end user so as to live as long as possible in the machine, and spread to as many others as possible. usually with the goal of leeching bandwidth from these machines for use in various botnets. As such, malware that causes your machine not to boot would defeat the purpose of modern malware. a machine that isn't booted up will not join a botnet, and will not spread to other machines.

    What is more likely is that the virus writers will intercept the keys used by UEFI, manage to sign their own bootloader, and still run windows in a way that the average end user can't tell the difference. this will make the virus almost impossible to remove as it will then have more access to the system than even the operating system itself does. On the bright side, once the UEFI keys are in the wild, the various free operating systems can use those same keys to sign their own bootloaders allowing people to run non-windows software in a signed way on windows only hardware (call it jailbroken...)

  14. Re:So should I... by green1 · · Score: 5, Informative

    The answer to that has been a resounding yes ever since NetBIOS was introduced. It was always a windows only way of doing things that already had other non-proprietary standard ways of being accomplished. It has also been a vector for various malware over the years.

  15. Yes but make sure you UPDATE after reinstall by Burz · · Score: 4, Informative

    ...Oh, wait.

    OTOH, go to a network with no Windows systems, download update containing certificate revocations, and burn to CD before reinstalling and updating.