Flame malware subverts Windows Updates, infects networked PCs

By on June 5, 2012, 3:30 PM

Flame or Flamer, an admittedly sophisticated piece of malware, appears to have more tricks up its sleeve than security researchers had initially believed. Security firm Kaspersky has discovered that the virus turns infected PCs into Windows Update servers which may then fool uninfected PCs into downloading and installing Flame.

The multi-phase attack begins with an infected Windows PC laced with illegitimate security certificates -- certs which appear to be digitally signed by Microsoft. Patient zero then advertises itself across the network as an proxy server, funneling Internet traffic through itself and cementing its man-in-the-middle role. Other Windows computers discover the infected computer and begin automatically using it as a proxy. When those unsuspecting PCs begin to download and install their regularly scheduled Windows Updates, the false proxy server substitutes requests for legitimate updates with its own versions -- packaged installers for Flame.

To spread across a network, Flame relies on "automatically detect [proxy] settings" being active, an option found Control Panel > Internet Options > Connections. Unfortunately, this option is enabled automatically on most default Windows installs unless explicitly disabled by the user or through group policies. 

Although clever and obviously dangerous, there's little need for panic just yet. Flame continues to be isolated in the Middle East and purposefully so, experts believe. The virus also further narrows its scope by targeting government networks, meaning everyday Internet citizens should be safe, at least for the moment. 

It is unlikely that you are the target of Flamer unless you are an official in a Middle Eastern government or working on weapons research for such a government. Flamer is not “out there” on the Internet right now, spreading from country to country. You are not likely to find Flamer attached to an email in your Outlook Inbox (USB flash drives seem to be Flamer’s infection vector of choice). And if you are using a good antivirus product it is now protecting you from Flamer. The major AV products were quickly updated to detect Flamer and the better ones will now have generic detection of malware that has “Flamer-like” characteristics.

Even though Flame may itself remain in isolation due to apparent political motivations, don't be surprised if other virus writers try to capitalize the ingenuity displayed by Flame's numerous modules.

Fooling Windows Update on a PC is no trivial matter but Flame's designers managed to do something that no other malware creator has been known to do thus far -- make a illegitimate certificate which Windows wholeheartedly believes is signed by Microsoft. This has long been the holy grail of malware writers, according to F-Secure and it brings with it some potentially scary consequences. This ability of Flame is key to its seamless subversion of Windows Update.




User Comments: 15

Got something to say? Post a comment
Mudvayne819 said:

what when some good programmer/hacker get a hand on that thing and modify it for their needs then we will have a real crisis and the us governement who spread that virus will be to blame... what is goign to be the punishment... nothing

Tygerstrike said:

@Mud

Sorry this wasnt spread by the USA or the US Govt. If you do a bit of reading on the Flame issue, you will see that they believe it was produced by Isriel. Mainly for spying on the other countries that surround them. And what punishment were you considering valid for the US Govt. when it wasnt the US who either created nor spread this particular virus.

Guest said:

Isriel? smh

Chazz said:

No need to respond to him. There are many US haters on the internet. Ignore them.

Guest said:

So basically, if people moved to TLS 1.2 years ago and used decent hash algorithms, and encryption protocols with decent rather than barely useful bit sizes, this would never have happened. MD5 and SHA-1 are too small.

mevans336 mevans336 said:

So basically, if people moved to TLS 1.2 years ago and used decent hash algorithms, and encryption protocols with decent rather than barely useful bit sizes, this would never have happened. MD5 and SHA-1 are too small.

Until very recently, no browsers even supported TLS 1.2. OpenSSL only added support within the past year.

treetops treetops said:

If someone adapts this and causes real problems random nerd beatings will sore to record levels. /jokes

Guest said:

Point <> Counterpoint - Just another day here on Earth, people in fear of others create something to attack, defend, monitor, control, etc. and the others create something to attack, defend, monitor, control, etc. and the game continues throughout time and history. Enough is enough...

wiyosaya said:

Point <> Counterpoint - Just another day here on Earth, people in fear of others create something to attack, defend, monitor, control, etc. and the others create something to attack, defend, monitor, control, etc. and the game continues throughout time and history. Enough is enough...

Give the guest a prize! Hit that one right on the head, IMHO.

Guest said:

I would love to no what microsoft is inturnally thinking aobut these guys who managed to fool windows. I won't be surprised if they are planning, or maybe no more then they let us believe?

Guest said:

its either made in china or north korea LOL!!

SNGX1275 SNGX1275, TS Forces Special, said:

Just because I feel it should be pointed out, I will do so.

This is not only a proof of concept, it is an exploit "in the wild" although apparently intentionally limited in scope. This is a pretty insane exploit, yet it has almost no comments after over 2 days.

Imagine if this happened on OS X. Oh wait, we don't have to imagine, because a much less harmful thing happened to OS X and the wrath of the PC world came to tech sites all over to comment on it.

Now I do understand the argument of Mac users are smug and thing they are invulnerable. But I think that has been gradually dispelled for a couple years now with more OS X issues. All the while Windows users have been talking about how great Windows security is since Vista (disregarding how many people still use XP). Well this hits at the very core of Vista/7s security. Not only does it breach it, it spreads by the most trusted update ever, Windows update.

Guest said:

Joke user.

it can happen, specially when payed programmers are trying to crack down Windows on the daily basis. It is simply more popular hence more attacks.

Derp user, Joke user is joke.

Still OSX > All

Guest said:

previous guest is clearly David Orcus!

Guest said:

"Windows users have been talking about how great Windows security is since Vista "

Not that I don't disagree with you, but me and my fellow "windows" users don't ever feel smug about any kind of OS security, no matter what OS we use, Linux,, Windows, IOS, Android.

If anything windows users are more aware of the consequences of having a virus/malware (due to years of the platform being a common target for hackers).

Tech aficionados know that security is forever a whack a mole process. It is always constant vigilance. You can make a bulletproof system, and someone will just make a better bullet. That's how it's always been since the days of early computing.

For example there is SElinux which is supposed to be "secure", but you can bet if there was one dent in the armor, in the kernel or gnu userland modules, or a user has root access to do something and install something, then it can all go by the wayside.

Clearly the flame virus is serious, it anything it should make Microsoft take up notice and continue the whack a mole process.

Security is never static, it is always dynamic.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.