Few of the people you or I know need to worry about a Flame malware attack -- unless you know a lot of Iranian bureaucrats. But thetechnology behind the attack -- details of which are only startingto surface -- should have all of us concerned. Not just about thesophisticated cracking techniques employed, but about the tools weuse and rely on all the time. Yes, I'm talking specifically about WSUS and Microsoft's AutomaticUpdate. F-Secure's Mikko Hypponen (who has been known to succumb tohyperbole from time to time) calls it "the nightmare scenario."According to his News from the Lab blog , "Flame has a module which appears to attempt to do aman-in-the-middle attack on the Microsoft Update or Windows ServerUpdate Services (WSUS) system. |
If successful, the attack drops afile called WUSETUPV.EXE to the target computer. This file issigned by Microsoft with a certificate that is chained up toMicrosoft root. Except it isn't signed really by Microsoft ." Sunday night, Microsoft pushed through an out-of-band patch known as SA 2718704 that effectively killed three root certificates that had beencompromised by the Flame throwers. That begs at least two painfullyobvious questions: If Microsoft didn't give the certificates to thepeople who made Flame, how did the bad guys get them? And what canbe done to prevent the same thing from happening again? We aren't talking about a break-in at a small Comodo certificate-issuing authority in the Netherlands.
These are, as Mikko says, the certificatesthat validate WSUS patches -- Microsoft Update's family jewels. Yesterday the Microsoft Security Response Center posted an update to the Security Advisory that says, "The Flame malware used a cryptographic collisionattack in combination with the terminal server licensing servicecertificates to sign code as if it came from Microsoft. However,code-signing without performing a collision is also possible. Thisis an avenue for compromise that may be used by additionalattackers on customers not originally the focus of the Flamemalware. In all cases, Windows Update can only be spoofed with anunauthorized certificate combined with a man-in-the-middle attack." Permit me to translate that into English.
A "cryptographic collision attack" is a brute-force approach tocracking a hashing method, where the attacker guesses at a wholebunch of input strings, runs the hashing algorithm, and comparesthe result to the real hash. If the hashes match, then the originalstrings matched. Sophisticated guessing techniques can be employed,but in general cracking not one, but three original Microsoftcertificates must've taken eons of computing time. There's still alot of confusion about exactly how the Flame folks used thecollision attack.
Microsoft's statement is subject to a lot ofinterpretation. Dan Goodin has an analysis on Ars Technica . As Microsoft rightly notes, just having the certs isn't goodenough. In order to subvert WSUS/Windows Update for a site, theperson with the cracked certs has to be able to insert themselvesbetween the site's network and the Microsoft update servers: aman-in-the-middle attack.
In some countries, that's certainlypossible for any organization that has influence over local DNSservers. In general, though, it's a highly nontrivial exercise. But working inside a network, man-in-the-middle may not be sodifficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on anetwork with one Flame-infected machine were getting infected "in avery suspicious manner. When a machine tries to connect toMicrosoft's Windows Update, [Flame] redirects the connectionthrough an infected machine and it sends a fake, malicious WindowsUpdate to the client." That's the man in the middle.
What can you do to protect yourself? Get SA 2718704 installed, ofcourse. SANS Internet Storm Center gives a manual patching procedure if you don't feel comfortable applying the update. More than that, you need to be aware of the fact that some very,very smart people, using an enormous amount of computing power,were able to subvert some of the most trusted authenticationcertificates -- and techniques -- that we have. The bad guys just got a leg up. This story, " Tech behind Flame attack could compromise Microsoft Update ," was originally published at InfoWorld.com.
Get the first word on what the important tech news really meanswith the InfoWorld Tech Watch blog . For the latest developments in business technology news, follow InfoWorld.com on Twitter .
The e-commerce company in China offers quality products such as Automatic Encrusting and Forming Machine , Kubba Machine Manufacturer, and more. For more , please visit Meat Ball Forming Machine today!
Related Articles -
Automatic Encrusting and Forming Machine, Kubba Machine Manufacturer,