| View previous topic :: View next topic |
| Author |
Message |
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
 Posted: Tue Jun 05, 2012 9:10 pm Post subject: Flame can spread by impersonating Windows Update |
 |
|
One of four or five ways it can spread. The is the general spying malware thought to have been produced by the same people who created Stuxnet (the program which attacked specific industrial control systems). Similarly, Flame seems to be mostly infecting systems in the Middle East, and has been around for five years or so.
Since Obama flapped his lips about Stuxnet to try to take credit, and since security researchers believe Flame was produced by the same people who created Stuxnet, victims of Flame will naturally conclude the U.S. Government has infected their systems (and can, for example, see everything on their screen).
| Quote: | Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft's Windows Update mechanism.
Meet Flame, the Ebola Virus of Malware
Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?
Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company's Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates "signed" by Microsoft.
Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind. |
| Quote: | A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE). Flame claims to be the WPAD (Web Proxy Auto-Discovery Protocol) server -- a system that provides proxy settings to copies of IE on the network -- and sends a malicious WPAD configuration file to the requesting PC.
As Symantec noted, WPAD hijacking is not new and is, in fact, part of many hacker toolkits.
The rogue WPAD configuration file modifies the victimized machine's proxy settings so that all Web traffic is routed through the Flame-infected system. On that PC, Flame's Web server, dubbed "Munch" kicks in, detects when the requested URL matches Windows Update's and in return sends a downloader disguised as a legitimate update from Microsoft.
To complete the ruse, the downloader was one of several compressed files -- crunched into the "cabinet," or ".cab" file format -- bundled into the single Windows Update.
Once the downloader was installed it retrieved a copy of Flame from the already-infected PC and uses it to compromise the computer. |
http://www.computerworld.com/s/article/9227736/Researchers_reveal_how_Flame_fakes_Windows_Update
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
 |
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16033
Location: Colorado
|
| Posted: Tue Jun 05, 2012 10:55 pm Post subject: |
|
|
Via Windows Update on an infected network, or something like that.
As long as it has been around, it probably isn't going to get anyone (new) that isn't a target.
However, a derivative...
_________________
lolgov. 'cause where we're going, you don't have civil liberties.
In Loving Memory
1787 - 2008 |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
| Posted: Tue Jun 05, 2012 11:57 pm Post subject: |
|
|
Nobody really knows. It's so big and complex it's going to take about a year to fully understand it.
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
notageek
Tux's lil' helper
Joined: 05 Jun 2008
Posts: 81
Location: Bangalore, India
|
| Posted: Wed Jun 06, 2012 2:36 am Post subject: |
|
|
Tell us something new.
_________________
What looks like a cat, flies like a bat, brays like a donkey, and plays like a monkey? |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
| Posted: Wed Jun 06, 2012 2:42 am Post subject: |
|
|
| notageek wrote: | | Tell us something new. |
What do you mean?
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
notageek
Tux's lil' helper
Joined: 05 Jun 2008
Posts: 81
Location: Bangalore, India
|
| Posted: Wed Jun 06, 2012 2:45 am Post subject: |
|
|
| Quote: | | Flame can spread by impersonating Windows Update |
Tell us something we don't know or have not experienced before.
This is virus number ... what ... that spreads through a flawed update?
_________________
What looks like a cat, flies like a bat, brays like a donkey, and plays like a monkey? |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
| Posted: Wed Jun 06, 2012 10:40 am Post subject: |
|
|
| notageek wrote: | | Quote: | | Flame can spread by impersonating Windows Update |
Tell us something we don't know or have not experienced before.
This is virus number ... what ... that spreads through a flawed update? |
This is not about "flawed updates". It's about a piece of malware that spreads on a peer-to-peer by pretending to be a Windows Update proxy server, intercepting update requests, then actually firing up a web server using forged SSL certificates to present a fake Windows Update page, then delivering a 20 MiB shit-bomb of malware disguised as an update. And this is only one of four or five ways (known so far) that it can spread.
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
Mardok45
n00b
Joined: 21 Jun 2008
Posts: 59
Location: Right behind you
|
| Posted: Wed Jun 06, 2012 11:18 am Post subject: |
|
|
| BoneKracker wrote: | | notageek wrote: | | Quote: | | Flame can spread by impersonating Windows Update |
Tell us something we don't know or have not experienced before.
This is virus number ... what ... that spreads through a flawed update? |
This is not about "flawed updates". It's about a piece of malware that spreads on a peer-to-peer by pretending to be a Windows Update proxy server, intercepting update requests, then actually firing up a web server using forged SSL certificates to present a fake Windows Update page, then delivering a 20 MiB shit-bomb of malware disguised as an update. And this is only one of four or five ways (known so far) that it can spread. |
This is one of the fascinating points. What were the chances of that happening? |
|
| Back to top |
|
|
notageek
Tux's lil' helper
Joined: 05 Jun 2008
Posts: 81
Location: Bangalore, India
|
| Posted: Wed Jun 06, 2012 12:03 pm Post subject: |
|
|
| BoneKracker wrote: | | notageek wrote: | | Quote: | | Flame can spread by impersonating Windows Update |
Tell us something we don't know or have not experienced before.
This is virus number ... what ... that spreads through a flawed update? |
This is not about "flawed updates". It's about a piece of malware that spreads on a peer-to-peer by pretending to be a Windows Update proxy server, intercepting update requests, then actually firing up a web server using forged SSL certificates to present a fake Windows Update page, then delivering a 20 MiB shit-bomb of malware disguised as an update. And this is only one of four or five ways (known so far) that it can spread. |
Same thing.
_________________
What looks like a cat, flies like a bat, brays like a donkey, and plays like a monkey? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16033
Location: Colorado
|
| Posted: Wed Jun 06, 2012 10:49 pm Post subject: |
|
|
| Mardok45 wrote: | | This is one of the fascinating points. What were the chances of that happening? |
Why? Isn't it just related to the Terminal Services CA breach?
_________________
lolgov. 'cause where we're going, you don't have civil liberties.
In Loving Memory
1787 - 2008 |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
| Posted: Fri Jun 08, 2012 1:21 am Post subject: |
|
|
| pjp wrote: | | Mardok45 wrote: | | This is one of the fascinating points. What were the chances of that happening? |
Why? Isn't it just related to the Terminal Services CA breach? |
Okay, you guys are security gurus, and this is an insignificant piece of malware unworthy of note. /thread
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
bogamol
Tux's lil' helper
Joined: 01 Nov 2009
Posts: 84
Location: Detroit, Michigan - The Home of Rock and Roll
|
| Posted: Fri Jun 08, 2012 1:02 pm Post subject: |
|
|
| I'm interested...don't stop posting them! |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1499
Location: U.S.A.
|
| Posted: Fri Jun 08, 2012 1:30 pm Post subject: |
|
|
No, I'll let notageek and pjp post stuff about security and malware, since they seem to know more about it and I am obviously mistaking run-of-the-mill crap for something significant. I don't want to make a fool of myself.
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
notageek
Tux's lil' helper
Joined: 05 Jun 2008
Posts: 81
Location: Bangalore, India
|
| Posted: Fri Jun 08, 2012 1:43 pm Post subject: |
|
|
 Aw, apologies.
_________________
What looks like a cat, flies like a bat, brays like a donkey, and plays like a monkey? |
|
| Back to top |
|
|
dmitchell
Veteran
Joined: 17 May 2003
Posts: 1154
Location: Austin, Texas
|
| Posted: Fri Jun 08, 2012 4:25 pm Post subject: |
|
|
thread fail :lol:
_________________
Your argument is invalid. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16033
Location: Colorado
|
| Posted: Sat Jun 09, 2012 5:18 pm Post subject: |
|
|
| BoneKracker wrote: | | No, I'll let notageek and pjp post stuff about security and malware, since they seem to know more about it and I am obviously mistaking run-of-the-mill crap for something significant. I don't want to make a fool of myself. |
You misinterpreted my last comment.
The whole issue seems to stem from a breach of the Terminal Services CA. This seems to be what allowed the unauthorized signing. I was merely wanting to know why Mardok45 thought that was particularly noteworthy. "What are the chances of that happening?" Doesn't seem that implausible to me, given how much effort various groups put into finding vulnerabilities.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.
In Loving Memory
1787 - 2008 |
|
| Back to top |
|
|
|
Off the Wall
