Tech behind Flame attack could compromise Microsoft Update

Events over the past two days point to possibility of hackers hijacking WSUS process, spreading malware resembling legitimate Windows updates

Few of the people you or I know need to worry about a Flame malware attack -- unless you know a lot of Iranian bureaucrats. But the technology behind the attack -- details of which are only starting to surface -- should have all of us concerned. Not just about the sophisticated cracking techniques employed, but about the tools we use and rely on all the time.

Yes, I'm talking specifically about WSUS and Microsoft's Automatic Update.

F-Secure's Mikko Hypponen (who has been known to succumb to hyperbole from time to time) calls it "the nightmare scenario." According to his News from the Lab blog, "Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root. Except it isn't signed really by Microsoft."

Sunday night, Microsoft pushed through an out-of-band patch known as SA 2718704 that effectively killed three root certificates that had been compromised by the Flame throwers. That begs at least two painfully obvious questions: If Microsoft didn't give the certificates to the people who made Flame, how did the bad guys get them? And what can be done to prevent the same thing from happening again?

We aren't talking about a break-in at a small Comodo certificate-issuing authority in the Netherlands. These are, as Mikko says, the certificates that validate WSUS patches -- Microsoft Update's family jewels.

Yesterday the Microsoft Security Response Center posted an update to the Security Advisory that says, "The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack."

Permit me to translate that into English.

A "cryptographic collision attack" is a brute-force approach to cracking a hashing method, where the attacker guesses at a whole bunch of input strings, runs the hashing algorithm, and compares the result to the real hash. If the hashes match, then the original strings matched. Sophisticated guessing techniques can be employed, but in general cracking not one, but three original Microsoft certificates must've taken eons of computing time. There's still a lot of confusion about exactly how the Flame folks used the collision attack. Microsoft's statement is subject to a lot of interpretation. Dan Goodin has an analysis on Ars Technica.

As Microsoft rightly notes, just having the certs isn't good enough. In order to subvert WSUS/Windows Update for a site, the person with the cracked certs has to be able to insert themselves between the site's network and the Microsoft update servers: a man-in-the-middle attack. In some countries, that's certainly possible for any organization that has influence over local DNS servers. In general, though, it's a highly nontrivial exercise.

But working inside a network, man-in-the-middle may not be so difficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on a network with one Flame-infected machine were getting infected "in a very suspicious manner. When a machine tries to connect to Microsoft's Windows Update, [Flame] redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client." That's the man in the middle.

What can you do to protect yourself? Get SA 2718704 installed, of course. SANS Internet Storm Center gives a manual patching procedure if you don't feel comfortable applying the update.

More than that, you need to be aware of the fact that some very, very smart people, using an enormous amount of computing power, were able to subvert some of the most trusted authentication certificates -- and techniques -- that we have.

The bad guys just got a leg up.

This story, "Tech behind Flame attack could compromise Microsoft Update," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies