Flame malware subverts Windows Updates, infects networked PCs

Rick

Rick

Posts: 4,512   +66
Staff

Flame or Flamer, an admittedly sophisticated piece of malware, appears to have more tricks up its sleeve than security researchers had initially believed. Security firm Kaspersky has discovered that the virus turns infected PCs into Windows Update servers which may then fool uninfected PCs into downloading and installing Flame.

The multi-phase attack begins with an infected Windows PC laced with illegitimate security certificates -- certs which appear to be digitally signed by Microsoft. Patient zero then advertises itself across the network as an proxy server, funneling Internet traffic through itself and cementing its man-in-the-middle role. Other Windows computers discover the infected computer and begin automatically using it as a proxy. When those unsuspecting PCs begin to download and install their regularly scheduled Windows Updates, the false proxy server substitutes requests for legitimate updates with its own versions -- packaged installers for Flame.

To spread across a network, Flame relies on "automatically detect [proxy] settings" being active, an option found Control Panel > Internet Options > Connections. Unfortunately, this option is enabled automatically on most default Windows installs unless explicitly disabled by the user or through group policies. 

Although clever and obviously dangerous, there's little need for panic just yet. Flame continues to be isolated in the Middle East and purposefully so, experts believe. The virus also further narrows its scope by targeting government networks, meaning everyday Internet citizens should be safe, at least for the moment. 

It is unlikely that you are the target of Flamer unless you are an official in a Middle Eastern government or working on weapons research for such a government. Flamer is not “out there” on the Internet right now, spreading from country to country. You are not likely to find Flamer attached to an email in your Outlook Inbox (USB flash drives seem to be Flamer’s infection vector of choice). And if you are using a good antivirus product it is now protecting you from Flamer. The major AV products were quickly updated to detect Flamer and the better ones will now have generic detection of malware that has “Flamer-like” characteristics.

Even though Flame may itself remain in isolation due to apparent political motivations, don't be surprised if other virus writers try to capitalize the ingenuity displayed by Flame's numerous modules.

Fooling Windows Update on a PC is no trivial matter but Flame's designers managed to do something that no other malware creator has been known to do thus far -- make a illegitimate certificate which Windows wholeheartedly believes is signed by Microsoft. This has long been the holy grail of malware writers, according to F-Secure and it brings with it some potentially scary consequences. This ability of Flame is key to its seamless subversion of Windows Update.

Permalink to story.

https://www.techspot.com/news/48886-flame-malware-subverts-windows-updates-infects-networked-pcs.html

 
what when some good programmer/hacker get a hand on that thing and modify it for their needs then we will have a real crisis and the us governement who spread that virus will be to blame... what is goign to be the punishment... nothing
 
@Mud

Sorry this wasnt spread by the USA or the US Govt. If you do a bit of reading on the Flame issue, you will see that they believe it was produced by Isriel. Mainly for spying on the other countries that surround them. And what punishment were you considering valid for the US Govt. when it wasnt the US who either created nor spread this particular virus.
 
So basically, if people moved to TLS 1.2 years ago and used decent hash algorithms, and encryption protocols with decent rather than barely useful bit sizes, this would never have happened. MD5 and SHA-1 are too small.
 
Guest said:
So basically, if people moved to TLS 1.2 years ago and used decent hash algorithms, and encryption protocols with decent rather than barely useful bit sizes, this would never have happened. MD5 and SHA-1 are too small.
Click to expand...

Until very recently, no browsers even supported TLS 1.2. OpenSSL only added support within the past year.
 
If someone adapts this and causes real problems random nerd beatings will sore to record levels. /jokes
 
Point <> Counterpoint - Just another day here on Earth, people in fear of others create something to attack, defend, monitor, control, etc. and the others create something to attack, defend, monitor, control, etc. and the game continues throughout time and history. Enough is enough...
 
Guest said:
Point <> Counterpoint - Just another day here on Earth, people in fear of others create something to attack, defend, monitor, control, etc. and the others create something to attack, defend, monitor, control, etc. and the game continues throughout time and history. Enough is enough...
Click to expand...
Give the guest a prize! Hit that one right on the head, IMHO.
 
I would love to no what microsoft is inturnally thinking aobut these guys who managed to fool windows. I won't be surprised if they are planning, or maybe no more then they let us believe?
 
Just because I feel it should be pointed out, I will do so.

This is not only a proof of concept, it is an exploit "in the wild" although apparently intentionally limited in scope. This is a pretty insane exploit, yet it has almost no comments after over 2 days.

Imagine if this happened on OS X. Oh wait, we don't have to imagine, because a much less harmful thing happened to OS X and the wrath of the PC world came to tech sites all over to comment on it.

Now I do understand the argument of Mac users are smug and thing they are invulnerable. But I think that has been gradually dispelled for a couple years now with more OS X issues. All the while Windows users have been talking about how great Windows security is since Vista (disregarding how many people still use XP). Well this hits at the very core of Vista/7s security. Not only does it breach it, it spreads by the most trusted update ever, Windows update.
 
Joke user.

it can happen, specially when payed programmers are trying to crack down Windows on the daily basis. It is simply more popular hence more attacks.

Derp user, Joke user is joke.

Still OSX > All
 
"Windows users have been talking about how great Windows security is since Vista "

Not that I don't disagree with you, but me and my fellow "windows" users don't ever feel smug about any kind of OS security, no matter what OS we use, Linux,, Windows, IOS, Android.
If anything windows users are more aware of the consequences of having a virus/malware (due to years of the platform being a common target for hackers).

Tech aficionados know that security is forever a whack a mole process. It is always constant vigilance. You can make a bulletproof system, and someone will just make a better bullet. That's how it's always been since the days of early computing.

For example there is SElinux which is supposed to be "secure", but you can bet if there was one dent in the armor, in the kernel or gnu userland modules, or a user has root access to do something and install something, then it can all go by the wayside.

Clearly the flame virus is serious, it anything it should make Microsoft take up notice and continue the whack a mole process.

Security is never static, it is always dynamic.
 
You must log in or register to reply here.

Similar threads

Z
Colossal Dark Souls 3 mod combines the best of FromSoft's RPGs into one epic adventure
Replies
0
Views
101
zohaibahd
Z
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
389
Fastturtle
F
Daniel Sims
Black Myth: Wukong and Naraka Bladepoint receive path tracing, plus RTX updates en route...
Replies
16
Views
253
Disiw
D

Latest posts

Back