Flame Malware Hijacks Windows Update 268
wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how."
And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."
whoops (Score:5, Insightful)
and you thought Conficker was bad!
Windows? Impervious? (Score:5, Insightful)
Funny thing to say about any version of Windows.
Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?
Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?
Re:Looks good for Windows 8 sales (Score:5, Insightful)
Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key, stay undetected in the wild for at least 2+ years.
But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore...
Re:Looks good for Windows 8 sales (Score:4, Insightful)
To be fair, a malware writter could not care less if their software breaks 10-20% of the PCs it attempts to hijack.
Make MS brick 5% and the cost to them could be astronomical.
So, it is not simmetric warfare.
Re:whoops (Score:0, Insightful)
Because Linux is better? Unhackable? imperviable?
Obvious mechanisms exist to secure any OS. How is this targeted attack vector any better/worse than any other targeted attacked vector that would be pointed at *insert your favorite OS of choice*?
If you can't trust Windows, how can you - with a straight face - say you can trust Linux, Mac, Android, BB, etc? Unless you personally verify - and understand - every line of code in your OS - which I KNOW you don't do - how can you say your choice of OS is any better?
Did anyone NOT see this coming? (Score:4, Insightful)
When Windows Update was introduced, the first thought to go through my mind was, "I wonder how long until someone compromises this and uses it to push out malware." It took a lot longer than I thought.
Re:Wait until someone does the same with UEFI (Score:5, Insightful)
That's just not the way malware works any more.
Early viruses were great, they did something obvious like put dialog boxes on your screen, ask for cookies, wipe your hard drive, or other obvious malicious behaviour. This was a good thing because it meant that they would never really spread that far because once infected, people knew they were infected, and the infection caused enough trouble to be worth fixing.
Modern malware is a completely different beast, the goal of modern malware is to be unnoticed by the end user so as to live as long as possible in the machine, and spread to as many others as possible. usually with the goal of leeching bandwidth from these machines for use in various botnets. As such, malware that causes your machine not to boot would defeat the purpose of modern malware. a machine that isn't booted up will not join a botnet, and will not spread to other machines.
What is more likely is that the virus writers will intercept the keys used by UEFI, manage to sign their own bootloader, and still run windows in a way that the average end user can't tell the difference. this will make the virus almost impossible to remove as it will then have more access to the system than even the operating system itself does. On the bright side, once the UEFI keys are in the wild, the various free operating systems can use those same keys to sign their own bootloaders allowing people to run non-windows software in a signed way on windows only hardware (call it jailbroken...)
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
Iran is an Arab country now? Did anybody let them know? The rest of the comment is unfounded speculation and recycled nonsense. To everyone who modded "informative": doh!
Re:whoops; ASK SLASHDOT... (Score:3, Insightful)
Most Americans can't understand the differences between Persia and East Boise.
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
I think it may be better to say it is an attack targeted at specific regions or countries. Kaspersky had most of the module signatures in their database over 2 years ago and decided not to flag them as active malware. Most malware programs are small in size and spend a good deal of time trying to masquerade or hide itself from virus scanners. In Flames case it was a huge program using SQLLite and other normal business related applications to do the work. It was made to look like a normal business application which basically was hiding in plain sight that virus scanners determined harmless. The guys who built Flame and Stuxnet make Anonymous and other script kiddies look ridiculously stupid. As more and more applications get flagged as malware the only thing people will be able to actually run is the OS.
Re:Certificate was revoked by an emergency patch (Score:4, Insightful)
I guess that will work well, as long as you have a machine that talks to Windows Update and not Flame Update.
Re:whoops (Score:4, Insightful)
How do you know that?
Re:whoops; ASK SLASHDOT... (Score:4, Insightful)
Re:Wait until someone does the same with UEFI (Score:2, Insightful)
This smells an awful lot like natural selection for biological pathogens - if one is so virulent that it kills the host at the cost of its reproductive ability, it will eventually be replaced by those pathogens that don't kill the host, but affect it as little as possible while borrowing its infrastructure. Neat.