The Flame: Questions and Answers

I haven't read this whole thread, so I don't know if this has been posted.

OpenDNS claims to protect from Flame...

 

Link to the whole post?

I assume they're just blocking domains.

 

It's from an email sent to me from OpenDNS.
Let me see if I can find a web link for it.

 

Here are some blog links from the CTO...
http://blog.opendns.com/2012/06/01/unique-insight-into-flame-malware/
http://blog.opendns.com/2012/05/29/malware-alert-opendns-users-protected-from-flame-malware/

 

It is worthy of interest because apparently Microsoft is still using MD5 to sign some of its certificates. MD5 has been proven theoretically passable before, and is now shown to be exploited in the wild. Many Windows security approaches involve trusting Microsoft signed files explicitly, which USUALLY grants a lot of convenience without sacrificing security (but not in this case).

 

It's worthy of interest for a dozen reasons both due to its obvious political nature and the sophisticated method of attack.

 

"Microsoft was still". They already revamped the whole thing.

See:
- http://blogs.technet.com/b/pki/
- http://blogs.technet.com/b/msrc/arc...-list-update-and-the-june-2012-bulletins.aspx

 

Pretty sure they're still using MD5 but they're wrapping it in something else. Haven't looked into it. It's irrelevant though because attacking MD5 is incredibly difficult and we're unlikely to see this again with the new system.

 

What makes you so sure exactly?

 

Just listened to Security Now about this. Apparently, the MD5 collision attack was estimated to have cost about $300,000 of computer time, with some of *the* best mathematical minds in the world, working on it. It's also been linked to Stuxnet (and Duqu was linked to Stuxnet too, IIRC). Hungry Man was right, and the security bloggers were wrong IMO: This thing is a very big deal.

PD

 

That's just a point of view, of course.

From the standpoint of what this malware does if permitted to install, it has some impressive features.

From the standpoint of the exploit itself and its attack vector -- intital point of entry -- nothing new is here, and merits -- to quote a previous poster -- a big "ho-hum."

----
rich

 

Nothing new? The initial point of entry is the first MD5 collision ever used against users.

Because an MD5 collision attack on its own is incredibly difficult to pull off and Microsoft has released a new system to directly address it. Even if they hadn't released this new system it's incredibly difficult/ costly.

 

Doesn't that happen after the malware is already installed?

Analyzing the MD5 collision in Flame
http://blog.trailofbits.com/2012/06/11/analyzing-the-md5-collision-in-flame/

I'm referring to the initial point of entry of the explolt itself:

Flame Virus: The Basics
http://tech-authors.com/flame-virus-faqs-answered/

Analysis has been difficult, but the ususal methods are suspected:

The latter is a good possibility:

http://watchguardsecuritycenter.com/2012/05/31/what-is-the-flame-worm-and-should-i-worry-about-it/

----
rich

 

The MD5 collision is how it initially infects systems.

 

Hmm.. That was not my understanding. From what I've read, I had the idea a system would have to be already infected, and then in order not to raise any suspicions, one of Flame's components would let some of the Windows Update files pass, while passing some bogus ones, making the user believe it was a legitimate update, due to being digitally signed by Microsoft (due to MD5 collision).

There's a patient zero. If you make patient zero a non-reality, then there's no spreading.

 

Well, I've missed something. Can you site a source for this?

My understanding is that a network needs a hosted machine infected with Flame. That machine intercepts the Windows Update call from other machines on the network. At that point, the trickery comes into play. This is from a week ago, so you may have more current information:


http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
Jun 7, 2012

----
rich

 

Ah, for the network the initial exploitation may be some other method. But Windows Update/the collision is the exploit used to get onto other systems.

 

OK, I understand how you are seeing this.

My interest is in the initial exploitation on the network, for if that were prevented, none of this collision stuff would be able to happen.


----
rich

 

Yes, but when you consider patient zero, what's so new that's so scary? The initial focus can be stopped with proper security measures (including human measures).

 

Well said!


----
rich

 

Patient zero isn't exactly all that important. If all it takes is infecting one person to get it started it really doesn't matter who it is, they'll get hacked. At that point the entire network is compromised because of the multiple methods of infection this thing uses, including the MD5 collision and various exploit that, at the time, were probably zero days (though I don't remember/ am literally too lazy to google and check.)

 

Yes, it matters. It's the patient zero that matters, actually. If there's no patient zero, Flame is nothing but a hype. Just because there are stupid people everywhere, including certain organizations, that doesn't necessarily give any credit to the malware/attacker in question.

-edit-

If nothing else, the only great thing that this shows, is that certain people don't mind spending lots of money to attack certain parties. But, the same is not to say that clever people cannot do anything about it. Also, an exploit doesn't necessarily equal an infection.

 

I think the first person really matters the least. The ability to infect any random person is not impressive. There will always be someone willing to click a link, someone with an unpatched system, someone who walks away from their laptop int eh starbucks, whatever. It doesn't matter if *you* are secure, because they aren't, and they can be anyone.

There will always be the patient zero. There isn't a situation where they don't exist becuase someone is always vulnerable and that's all it takes to spread.

 

You're not understanding. One thing is people existing who aren't aware of such things, and how to stop them. Another one entirely different is that it's possible to stop it. Period. Stupid people existing doesn't change that, at all. It only means there are stupid people everywhere.

And, what you're saying is actually what we all know. If there aren't any stupid people and no unaware people, then Flame would be a piece of crap. At least, with its current design. They would have the need to find other exploitable ways; but, even then, we'd have to see if it could/couldn't be prevented.

@ Everyone

Please, be aware that I'm calling stupid to people within organizations that should be able to secure their networks. In this case, they are stupid.

 

When Windows update is set to manual/notify mode does it push itself as a MS update? What name does it use? Just a generic KB number that doesn't exist? Or does it appear as the actual filename itself which would pass thru if people couldn't care to check?