Microsoft over the weekend released a security update and an out-of-band patch that kills three rogue certificates that appeared to be signed by Microsoft and allowed the malware to slip past Windows controls. The software giant did not give details on the actual attack, but according to new analysis by Kaspersky Lab, a Flame module named "Gadget" was used to infect other machines in the same network as the targeted machine, therefore spreading more widely within the targeted organization. Gadget and another module called "Munch" wage a man-in-the-middle attack during a Windows Update session that basically redirects the user's machine to a phony update with the malware, which looks as if were signed by Microsoft but was not.
That, according to Kaspersky's Alex Gostev, chief malware expert, explains how Flame was able to infect fully patched Windows 7 machines.
The attackers preyed on apparent weak encryption in Microsoft's Terminal Services -- specifically an older cryptographic algorithm used in Microsoft's Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services. In addition to the security update issued by Microsoft to kill the rogue certs, Microsoft has also halted issuing certificates for code-signing through Terminal Services.
Mike Reavey, senior director of Microsoft's Security Response Center, says that most companies aren't at risk of attack since Flame was so targeted, and also because now most anti-malware detects and removes Flame. But the worry is that other attackers could copy the method used by Flame and strike at a broader audience: "Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," he wrote in a blog post today.
Security experts say this hack could have been much worse in the hands of traditional cybercriminals. Researchers believe Flame was a parallel cyberespionage effort to Duqu and Stuxnet, likely the work of a nation-state such as the U.S. and Israel, but no officials have gone on record to confirm it. The New York Times reported on Friday that anonymous U.S. officials confirmed that Stuxnet and its associated espionage were the work of the U.S. and Israeli officials trying to cripple Iran's nuclear weapon development. The so-called "Olympic Games" attacks originated in the Bush administration and continued under the Obama administration.
Flame's abuse of Microsoft's digital certificate demonstrates just how these well-funded and organized cyberespionage efforts take attacks to another level.
"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," said Mikko Hypponen, chief research officer at F-Secure, in a blog post today. "I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."
According to F-Secure, one module for Flame wages a man-in-the-middle attack on the Microsoft Windows Update system, and then infects the targeted machine. "If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root," Hypponen said.
"This was not a CA [certificate authority] breach, but because weak encryption was used, it was a certificate breach," says Jeff Hudson, CEO at Venafi. "That allowed the code to pretend it was authorized and signed by Microsoft." It's unclear, as yet, whether the attackers used Terminal Services to log onto other systems or to sign other code, he says.
Meanwhile, more information on Flame's command-and-control (C&C) infrastructure was revealed today by Kaspersky Lab and OpenDNS, which sinkholed 30 of the C&C servers supporting the attack. The C&C domains for Flame used a long list of fake identities and various registrars dating back to 2008, and there are more than 80 known domains, with 24 IP addresses currently hosting the domains. The attackers used 22 different registration services. "Flame's command-and-control [infrastructure] is huge, unlike anything we've seen before," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "These servers have been moving all over the world."
The C&C infrastructure initially went dark hours after Kaspersky Lab first reported its findings on Flame last week, Schouwenberg says. Then on Saturday afternoon Eastern time, it came back to life temporarily, with some of the Flame domains pointing to an IP address in Germany, he says, but it's unclear whether that was the attackers or other researchers in action, he says.
Kaspersky and OpenDNS's findings also appear to confirm that Iran was the main target of the Flame attack. The sinkhole contains 45 infected machines from Iran, 21 from Lebanon, and 14 in Sudan. The rest are single-digit infections in other countries, including eight from the U.S.
Dan Hubbard, CTO for OpenDNS, says while his firm can't be sure who's behind Flame, it's unique because it was so well-planned and executed. "The domains were registered by people ... using company names like Nvdia," he says. "We believe, that combined with the small packet size, it was built to go under the firewall, IPS, and data leakage prevention radars to look like regular traffic."
[Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years.]
And the domains were not ones historically associated with cybercriminals, he said. "That's very rare," Hubbard says.
The danger with this type of attack is that it's difficult to detect and stop. "This sort of attack is really hard to defend against," says Roger Thompson, chief emerging threats researcher for ISCA Labs. "You simply have to stop this code before it gets running, and, again, the only way to do this is with integrity management and behavior monitoring."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.