Latest news
You have probably already heard that Microsoft released an out-of-band update that revokes three rogue certificates that were used to sign a couple of modules of the recently discovered Flame (SkyWiper) toolkit.What you might still not have heard is how some of the malware's modules - namely ones called "Gadget" and "Munch" - were responsible for spreading Flame to other machines in the same network as an already infected one.
Initially, Kaspersky Lab experts thought computers were infected via an unknown 0-day vulnerability, as fully patched Windows 7 machines were being infected over the network in a very suspicious manner.
But then they discovered that the aforementioned two modules implemented a MITM attack against other computers in their own network.
"When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client," the researchers shared.
This fake update contained a number of files, and among them was WuSetupV.exe, signed by one of the rogue Microsoft certificates, which allowed it to be run without warning or interference, and drop Flame into the targeted machine.
"The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to 'Auto'," the Kaspersky Lab researchers pointed out.
So, while the existence of a 0-day flaw that is misused to infect the initial machine is almost certain, it's also certain that Flame possesses other abilities for propagating.
"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," F-Secure's Chief Research Officer Mikko Hypponen commented.
"I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
