Flame Malware Hijacks Windows Update 268
wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how."
And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
Re:While they're at it (Score:5, Informative)
I get a lot of mileage out of Windows Repair Portable [majorgeeks.com]. It restores settings for a large number of issues that don't have a regular, non-painful reset/repair/reinstall option. I've found it particularly handy for fixing the Windows Firewall and Windows updates.
I'd prefer to do a reinstall under almost all circumstances of malware infection, but that's not always an option available for home or small business systems. I particularly dislike having to rely on Windows System Restore. I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.
Re:TFA says Win 7 64 bit not vulnerable? (Score:5, Informative)
Anyone know what this is about it's in the last paragraph
"It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware."
Is that due to driver signing requirements?
"Hardware-based DEP (Data Execution Protection), for example, is turned on for all 64-bit processes. Kernel Patch Protection (a.k.a. PatchGuard) protects access to internal operating system data structures. And device drivers must be digitally signed with a certificate issued by a trusted certificate authority. Finally, none of the large body of malware written as 32-bit drivers or any 16-bit code will run at all on 64-bit Windows."
http://securitywatch.pcmag.com/malware/284281-is-64-bit-windows-safer-than-32-bit
Driver signing is about DRM, not security (Score:5, Informative)
Is that due to driver signing requirements?
Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.
Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.
Re:whoops; ASK SLASHDOT... (Score:4, Informative)
Otherwise, that security update was probably Microsoft's emergency blacklisting of the signing keys that were used to make the Flame components pass as MS-signed software...
Comment removed (Score:5, Informative)
Re:Looks good for Windows 8 sales (Score:5, Informative)
Indeed certificate revocations went out on the 3rd.
http://support.microsoft.com/kb/2718704 [microsoft.com]
And as you've said, system restore 2.0 won't stop them. And malware survive? It gets worse than that, some of the more vicious ones inject themselves right into the SR backup, and edit the backed up hive. Unless you can remove it fully, you're kinda shot. Which can also mean disabling SR.
Certificate was revoked by an emergency patch (Score:5, Informative)
I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
Microsoft issued an emergency update [technet.com] Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.
Re:While they're at it (Score:5, Informative)
Who repairs a windows install? Really, it's not worth anybody's time. If you're qualified enough to remove a modern rootkit with any real guarantee of future security, then the value of your time spent removing said infection is more than the total cost of a new PC. Not even remotely kidding.
Installing windows while recovering user data is fast and easy. Modern rootkits are too good. The only reasonable course of action when you have an infection is wipe and install. - Make sure you clean the boot sector! (It's not a bad idea linux boot cd/usb flash drive and dd zeros over the first few megabytes of the drive. This will wipe out the boot sector, partition table/disk label/whatever, and any other places low level nasties generally reside. Plus, your OS installer will see a nice fresh unused drive and will feel free to lay down new partitions as it sees fit, and will not be tempted to do anything stupid like attempt a repair or upgrade)
Re:Known fix for this problem... (Score:4, Informative)
Hindsight is when something is obvious in retrospect. a paper published before the infection is not hindsight, but foresight.
That said, I love how clicking on the link to a paper about a security vulnerability leads to my browser giving a security certificate warning....
Re:So should I... (Score:5, Informative)
The answer to that has been a resounding yes ever since NetBIOS was introduced. It was always a windows only way of doing things that already had other non-proprietary standard ways of being accomplished. It has also been a vector for various malware over the years.
Re:whoops (Score:4, Informative)
So your claim is that because no safe is absolutely unbreakable, you should just put your money out on the curb in a pile and call it good?
If Windows is a piggy bank, Linux is at least a lockbox. Neither is invulnerable, but one is clearly more secure than the other.
As for why, MS managed to lose control of (or whore out) the one true cert that all Windows installations are dependent on. In spite of that being public knowledge they haven't revoked it.
So there you have it, Windows is a piggy bank guarded by a crack ho :-)
Re:whoops (Score:4, Informative)
The certificates weren't legit. Whoever created them used a vunrability in the signing algorithm for the MS Terminal Services license cert to make it look like they had a certificate from Microsoft.
Stupid coding by MS but it doesn't show that they were complicit in the release of Flame.
Yes but make sure you UPDATE after reinstall (Score:5, Informative)
...Oh, wait.
OTOH, go to a network with no Windows systems, download update containing certificate revocations, and burn to CD before reinstalling and updating.