The Flame: Questions and Answers

[Page42]

I haven't read this whole thread, so I don't know if this has been posted.

OpenDNS claims to protect from Flame...

Quote:

OpenDNS users are now automatically protected from Flame malware in additional to other large-scale Internet threats like Flashback and Conficker. As the world’s largest Internet security network and DNS provider we're in the perfect position to decipher malware like Flame and gain unique insights into where the malware's infections are and, potentially, what it aims to do. This helps us stay ahead of the curve so we can continue to be proactive in our efforts to protect you and the people you care about.

[Hungry Man]

Link to the whole post?

I assume they're just blocking domains.

[Page42]

It's from an email sent to me from OpenDNS.
Let me see if I can find a web link for it.

[Page42]

Here are some blog links from the CTO...
http://blog.opendns.com/2012/06/01/u...flame-malware/
http://blog.opendns.com/2012/05/29/m...flame-malware/

[Melf]

Quote:

Originally Posted by Mrkvonic

Hungry, what is so special about this code?

Written in C/Assembly/whatever?
Compiled?
Runs and does things?

So what's unique?
Apart from the media sensation?

Perhaps the code logic is brilliant, but it has nothing to do with malware, more with pure code design and implementation by whoever designed it; most likely some good math and whatnot.

Mrk

It is worthy of interest because apparently Microsoft is still using MD5 to sign some of its certificates. MD5 has been proven theoretically passable before, and is now shown to be exploited in the wild. Many Windows security approaches involve trusting Microsoft signed files explicitly, which USUALLY grants a lot of convenience without sacrificing security (but not in this case).

[Hungry Man]

It's worthy of interest for a dozen reasons both due to its obvious political nature and the sophisticated method of attack.

Quote:

Originally Posted by Melf

It is worthy of interest because apparently Microsoft is still using MD5 to sign some of its certificates. MD5 has been proven theoretically passable before, and is now shown to be exploited in the wild. Many Windows security approaches involve trusting Microsoft signed files explicitly, which USUALLY grants a lot of convenience without sacrificing security (but not in this case).

"Microsoft was still". They already revamped the whole thing.

See:
- http://blogs.technet.com/b/pki/
- http://blogs.technet.com/b/msrc/arch...bulletins.aspx

[Hungry Man]

Pretty sure they're still using MD5 but they're wrapping it in something else. Haven't looked into it. It's irrelevant though because attacking MD5 is incredibly difficult and we're unlikely to see this again with the new system.

[funkydude]

Quote:

Originally Posted by Hungry Man

Pretty sure they're still using MD5 but they're wrapping it in something else. Haven't looked into it. It's irrelevant though because attacking MD5 is incredibly difficult and we're unlikely to see this again with the new system.

What makes you so sure exactly?

[PaulyDefran]

Just listened to Security Now about this. Apparently, the MD5 collision attack was estimated to have cost about $300,000 of computer time, with some of *the* best mathematical minds in the world, working on it. It's also been linked to Stuxnet (and Duqu was linked to Stuxnet too, IIRC). Hungry Man was right, and the security bloggers were wrong IMO: This thing is a very big deal.

PD

[Rmus]

Quote:

Originally Posted by PaulyDefran

This thing is a very big deal.

That's just a point of view, of course.

From the standpoint of what this malware does if permitted to install, it has some impressive features.

From the standpoint of the exploit itself and its attack vector -- intital point of entry -- nothing new is here, and merits -- to quote a previous poster -- a big "ho-hum."

----
rich

[Hungry Man]

Nothing new? The initial point of entry is the first MD5 collision ever used against users.

Quote:

Originally Posted by funkydude

What makes you so sure exactly?

Because an MD5 collision attack on its own is incredibly difficult to pull off and Microsoft has released a new system to directly address it. Even if they hadn't released this new system it's incredibly difficult/ costly.

[Rmus]

Quote:

Originally Posted by Hungry Man

Nothing new? The initial point of entry is the first MD5 collision ever used against users.

Doesn't that happen after the malware is already installed?

Analyzing the MD5 collision in Flame
http://blog.trailofbits.com/2012/06/...sion-in-flame/

Quote:

One of the more interesting aspects of the Flame malware was the MD5 collision attack that was used to infect new machines through Windows Update.

I'm referring to the initial point of entry of the explolt itself:

Flame Virus: The Basics
http://tech-authors.com/flame-virus-faqs-answered/

Quote:

Kaspersky describes Flame as a backdoor and a Trojan with worm-like features.

Analysis has been difficult, but the ususal methods are suspected:

Quote:

• spearphishing or infected websites are possibilities
  
  
• We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

The latter is a good possibility:

http://watchguardsecuritycenter.com/...orry-about-it/

Quote:

Kaspersky believes the author originally created the malware in 2010.

----
rich

[Hungry Man]

The MD5 collision is how it initially infects systems.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

The MD5 collision is how it initially infects systems.

Hmm.. That was not my understanding. From what I've read, I had the idea a system would have to be already infected, and then in order not to raise any suspicions, one of Flame's components would let some of the Windows Update files pass, while passing some bogus ones, making the user believe it was a legitimate update, due to being digitally signed by Microsoft (due to MD5 collision).

There's a patient zero. If you make patient zero a non-reality, then there's no spreading.

[Rmus]

Quote:

Originally Posted by Hungry Man

The MD5 collision is how it initially infects systems.

Well, I've missed something. Can you site a source for this?

My understanding is that a network needs a hosted machine infected with Flame. That machine intercepts the Windows Update call from other machines on the network. At that point, the trickery comes into play. This is from a week ago, so you may have more current information:


http://arstechnica.com/security/2012...-breakthrough/
Jun 7, 2012

Quote:

By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

----
rich

[Hungry Man]

Ah, for the network the initial exploitation may be some other method. But Windows Update/the collision is the exploit used to get onto other systems.

[Rmus]

Quote:

Originally Posted by Hungry Man

Ah, for the network the initial exploitation may be some other method. But Windows Update/the collision is the exploit used to get onto other systems.

OK, I understand how you are seeing this.

My interest is in the initial exploitation on the network, for if that were prevented, none of this collision stuff would be able to happen.


----
rich

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

Ah, for the network the initial exploitation may be some other method. But Windows Update/the collision is the exploit used to get onto other systems.

Yes, but when you consider patient zero, what's so new that's so scary? The initial focus can be stopped with proper security measures (including human measures).

[Rmus]

Quote:

Originally Posted by m00nbl00d

Yes, but when you consider patient zero, what's so new that's so scary? The initial focus can be stopped with proper security measures (including human measures).

Well said!


----
rich

[Hungry Man]

Patient zero isn't exactly all that important. If all it takes is infecting one person to get it started it really doesn't matter who it is, they'll get hacked. At that point the entire network is compromised because of the multiple methods of infection this thing uses, including the MD5 collision and various exploit that, at the time, were probably zero days (though I don't remember/ am literally too lazy to google and check.)

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

Patient zero isn't exactly all that important. If all it takes is infecting one person to get it started it really doesn't matter who it is, they'll get hacked. At that point the entire network is compromised because of the multiple methods of infection this thing uses, including the MD5 collision and various exploit that, at the time, were probably zero days (though I don't remember/ am literally too lazy to google and check.)

Yes, it matters. It's the patient zero that matters, actually. If there's no patient zero, Flame is nothing but a hype. Just because there are stupid people everywhere, including certain organizations, that doesn't necessarily give any credit to the malware/attacker in question.

-edit-

If nothing else, the only great thing that this shows, is that certain people don't mind spending lots of money to attack certain parties. But, the same is not to say that clever people cannot do anything about it. Also, an exploit doesn't necessarily equal an infection.

[Hungry Man]

I think the first person really matters the least. The ability to infect any random person is not impressive. There will always be someone willing to click a link, someone with an unpatched system, someone who walks away from their laptop int eh starbucks, whatever. It doesn't matter if *you* are secure, because they aren't, and they can be anyone.

There will always be the patient zero. There isn't a situation where they don't exist becuase someone is always vulnerable and that's all it takes to spread.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

I think the first person really matters the least. The ability to infect any random person is not impressive. There will always be someone willing to click a link, someone with an unpatched system, someone who walks away from their laptop int eh starbucks, whatever. It doesn't matter if *you* are secure, because they aren't, and they can be anyone.

There will always be the patient zero. There isn't a situation where they don't exist becuase someone is always vulnerable and that's all it takes to spread.

You're not understanding. One thing is people existing who aren't aware of such things, and how to stop them. Another one entirely different is that it's possible to stop it. Period. Stupid people existing doesn't change that, at all. It only means there are stupid people everywhere.

And, what you're saying is actually what we all know. If there aren't any stupid people and no unaware people, then Flame would be a piece of crap. At least, with its current design. They would have the need to find other exploitable ways; but, even then, we'd have to see if it could/couldn't be prevented.

@ Everyone

Please, be aware that I'm calling stupid to people within organizations that should be able to secure their networks. In this case, they are stupid.

[Serapis]

When Windows update is set to manual/notify mode does it push itself as a MS update? What name does it use? Just a generic KB number that doesn't exist? Or does it appear as the actual filename itself which would pass thru if people couldn't care to check?