Latest news
You have probably already heard that Microsoft released an out-of-band update that revokes three rogue certificates that were used to sign a couple of modules of the recently discovered Flame (SkyWiper) toolkit.What you might still not have heard is how some of the malware's modules - namely ones called "Gadget" and "Munch" - were responsible for spreading Flame to other machines in the same network as an already infected one.
Initially, Kaspersky Lab experts thought computers were infected via an unknown 0-day vulnerability, as fully patched Windows 7 machines were being infected over the network in a very suspicious manner.
But then they discovered that the aforementioned two modules implemented a MITM attack against other computers in their own network.
"When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client," the researchers shared.
This fake update contained a number of files, and among them was WuSetupV.exe, signed by one of the rogue Microsoft certificates, which allowed it to be run without warning or interference, and drop Flame into the targeted machine.
"The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to 'Auto'," the Kaspersky Lab researchers pointed out.
So, while the existence of a 0-day flaw that is misused to infect the initial machine is almost certain, it's also certain that Flame possesses other abilities for propagating.
"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," F-Secure's Chief Research Officer Mikko Hypponen commented.
"I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
