Flame abused Windows Update to spread
Posted on 04.06.2012
You have probably already heard that Microsoft released an out-of-band update that revokes three rogue certificates that were used to sign a couple of modules of the recently discovered Flame (SkyWiper) toolkit.

What you might still not have heard is how some of the malware's modules - namely ones called "Gadget" and "Munch" - were responsible for spreading Flame to other machines in the same network as an already infected one.

Initially, Kaspersky Lab experts thought computers were infected via an unknown 0-day vulnerability, as fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

But then they discovered that the aforementioned two modules implemented a MITM attack against other computers in their own network.

"When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client," the researchers shared.

This fake update contained a number of files, and among them was WuSetupV.exe, signed by one of the rogue Microsoft certificates, which allowed it to be run without warning or interference, and drop Flame into the targeted machine.

"The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to 'Auto'," the Kaspersky Lab researchers pointed out.

So, while the existence of a 0-day flaw that is misused to infect the initial machine is almost certain, it's also certain that Flame possesses other abilities for propagating.

"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," F-Secure's Chief Research Officer Mikko Hypponen commented.

"I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."






Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //