funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Flaming certs

From: Robert Slade <rmslade () shaw ca>
Date: Tue, 05 Jun 2012 14:35:48 -0700
Today is Tuesday for me, but it's not "second Tuesday," so it shouldn't be patch Tuesday.  But today my little netbook, 
which is set just to inform me when updates are available, informed me that it had updated, but I needed to reboot to 
complete the task, and, if I didn't do anything in the next little while it was going to reboot anyway.

Yesterday, of course, wasn't patch Tuesday, but all my machines set to "go ahead and update" all wanted to update on 
shutdown last night.

This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an "infection" module that messes with 
Windows/Microsoft Update.  As I understand it, there is some weakness in the update process itself, but the major 
problem is that Flame "contains" and uses a fake Microsoft digital certificate.

You can get some, but not very much, information about this from Microsoft's Security Response Center blog:
http://blogs.technet.com/b/msrc/
http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx

You can get more detailed information from F-Secure: http://www.f-secure.com/weblog/archives/00002377.html

It's easy to see that Microsoft is extremely concerned about this situation.  Not necessarily because of Flame: Flame 
uses pretty old technology, only targets a select subset of systems, and doesn't even run on Win7 64-bit.  But the fake 
cert could be a major issue.  Once that cert is out in the open it can be used not only for Windows Update, but for 
"validating" all kinds of malware.  And, even though Flame only targets certain systems, and seems to be limited in 
geographic extent, I have pretty much no confidence at all that the blackhat community hasn't already got copies of it. 
 (The cert doesn't necessarily *have* to be contained in the Flame codebase, but the structure of the attack seems to 
imply that it is.)  So, the only safe bet is that the cert is "in the wild," and can be used at any time.

(Just before I go on with this, I might say that the authors of Flame, whoever they may be, did no particularly bad 
thing in packaging up a bunch of old trojans into one massive kit.  But putting that fake cert out there was simply 
asking for trouble, and it's kind of amazing that it hasn't been used in an attack beofre now.)

The first thing Microsoft is doing is patching MS software so that it doesn't trust that particular cert.  They aren't 
giving away a lot of detail, but I imagine that much midnight oil is being burned in Redmond redoing the validation 
process so that a fake cert is harder to use.  Stay tuned to your Windows Update channel for further developments.

However, in all of this, one has to wonder where the fake cert came from.  It is, of course, always possible to simply 
brute force a digital signature, particularly if you have a ton of validated MS software, and a supercomputer (or a 
huge botnet), and mount a birthday (collision) attack.  (And everyone is assuming that the authors of Flame have access 
to the resources of a nation-state.  Or two ...)  Now the easier way is simply to walk into the cert authority and ask 
for a couple of Microsoft certs.  (Which someone did one time.  And got away with it.)

But then, I was thinking.  In the not too distant past, we had a whole bunch of APT attacks (APT being an acronym 
standing for "we were lazy about our security, but it really isn't our fault because these attackers didn't play 
fair!") on cert authorities.  And the attacks got away with a bunch of valid certs.

OK, we think Flame is possibly as much a five years in the wild, and almost certainly two years.  But it is also likely 
that there were updates during the period in the wild, so it's hard to say, right off the top, which parts of it were 
out there for how long.

And I just kind of wonder ...

====================== 
rslade () computercrime org  slade () victoria tc ca  rslade () vcn bc ca
"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Book reviews:   [Base URL]mnbk.htm
                [Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Review mailing list: send mail to techbooks-subscribe () egroups com
http://blogs.securiteam.com/index.php/archives/author/p1/
http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: