funsec mailing list archives
Flaming certs
From: Robert Slade <rmslade () shaw ca>
Date: Tue, 05 Jun 2012 14:35:48 -0700
Today is Tuesday for me, but it's not "second Tuesday," so it shouldn't be patch Tuesday. But today my little netbook, which is set just to inform me when updates are available, informed me that it had updated, but I needed to reboot to complete the task, and, if I didn't do anything in the next little while it was going to reboot anyway. Yesterday, of course, wasn't patch Tuesday, but all my machines set to "go ahead and update" all wanted to update on shutdown last night. This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an "infection" module that messes with Windows/Microsoft Update. As I understand it, there is some weakness in the update process itself, but the major problem is that Flame "contains" and uses a fake Microsoft digital certificate. You can get some, but not very much, information about this from Microsoft's Security Response Center blog: http://blogs.technet.com/b/msrc/ http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx You can get more detailed information from F-Secure: http://www.f-secure.com/weblog/archives/00002377.html It's easy to see that Microsoft is extremely concerned about this situation. Not necessarily because of Flame: Flame uses pretty old technology, only targets a select subset of systems, and doesn't even run on Win7 64-bit. But the fake cert could be a major issue. Once that cert is out in the open it can be used not only for Windows Update, but for "validating" all kinds of malware. And, even though Flame only targets certain systems, and seems to be limited in geographic extent, I have pretty much no confidence at all that the blackhat community hasn't already got copies of it. (The cert doesn't necessarily *have* to be contained in the Flame codebase, but the structure of the attack seems to imply that it is.) So, the only safe bet is that the cert is "in the wild," and can be used at any time. (Just before I go on with this, I might say that the authors of Flame, whoever they may be, did no particularly bad thing in packaging up a bunch of old trojans into one massive kit. But putting that fake cert out there was simply asking for trouble, and it's kind of amazing that it hasn't been used in an attack beofre now.) The first thing Microsoft is doing is patching MS software so that it doesn't trust that particular cert. They aren't giving away a lot of detail, but I imagine that much midnight oil is being burned in Redmond redoing the validation process so that a fake cert is harder to use. Stay tuned to your Windows Update channel for further developments. However, in all of this, one has to wonder where the fake cert came from. It is, of course, always possible to simply brute force a digital signature, particularly if you have a ton of validated MS software, and a supercomputer (or a huge botnet), and mount a birthday (collision) attack. (And everyone is assuming that the authors of Flame have access to the resources of a nation-state. Or two ...) Now the easier way is simply to walk into the cert authority and ask for a couple of Microsoft certs. (Which someone did one time. And got away with it.) But then, I was thinking. In the not too distant past, we had a whole bunch of APT attacks (APT being an acronym standing for "we were lazy about our security, but it really isn't our fault because these attackers didn't play fair!") on cert authorities. And the attacks got away with a bunch of valid certs. OK, we think Flame is possibly as much a five years in the wild, and almost certainly two years. But it is also likely that there were updates during the period in the wild, so it's hard to say, right off the top, which parts of it were out there for how long. And I just kind of wonder ... ====================== rslade () computercrime org slade () victoria tc ca rslade () vcn bc ca "If you do buy a computer, don't turn it on." - Richards' 2nd Law ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs: [Base URL]mnbksccd.htm Security Dict.: [Base URL]secgloss.htm Book reviews: [Base URL]mnbk.htm [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ Review mailing list: send mail to techbooks-subscribe () egroups com http://blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Flaming certs Robert Slade (Jun 05)