The Flame: Questions and Answers

Discussion in 'malware problems & news' started by Dermot7, May 28, 2012.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    I haven't read this whole thread, so I don't know if this has been posted.

    OpenDNS claims to protect from Flame...

     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Link to the whole post?

    I assume they're just blocking domains.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    It's from an email sent to me from OpenDNS.
    Let me see if I can find a web link for it.

    OpenDNS and Flame.jpg
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
  5. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    It is worthy of interest because apparently Microsoft is still using MD5 to sign some of its certificates. MD5 has been proven theoretically passable before, and is now shown to be exploited in the wild. Many Windows security approaches involve trusting Microsoft signed files explicitly, which USUALLY grants a lot of convenience without sacrificing security (but not in this case).
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's worthy of interest for a dozen reasons both due to its obvious political nature and the sophisticated method of attack.
     
  7. guest

    guest Guest

    "Microsoft was still". They already revamped the whole thing.

    See:
    - http://blogs.technet.com/b/pki/
    - http://blogs.technet.com/b/msrc/arc...-list-update-and-the-june-2012-bulletins.aspx
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Pretty sure they're still using MD5 but they're wrapping it in something else. Haven't looked into it. It's irrelevant though because attacking MD5 is incredibly difficult and we're unlikely to see this again with the new system.
     
  9. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    What makes you so sure exactly?
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Just listened to Security Now about this. Apparently, the MD5 collision attack was estimated to have cost about $300,000 of computer time, with some of *the* best mathematical minds in the world, working on it. It's also been linked to Stuxnet (and Duqu was linked to Stuxnet too, IIRC). Hungry Man was right, and the security bloggers were wrong IMO: This thing is a very big deal.

    PD
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    That's just a point of view, of course.

    From the standpoint of what this malware does if permitted to install, it has some impressive features.

    From the standpoint of the exploit itself and its attack vector -- intital point of entry -- nothing new is here, and merits -- to quote a previous poster -- a big "ho-hum."

    ----
    rich
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nothing new? The initial point of entry is the first MD5 collision ever used against users.


    Because an MD5 collision attack on its own is incredibly difficult to pull off and Microsoft has released a new system to directly address it. Even if they hadn't released this new system it's incredibly difficult/ costly.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Doesn't that happen after the malware is already installed?

    Analyzing the MD5 collision in Flame
    http://blog.trailofbits.com/2012/06/11/analyzing-the-md5-collision-in-flame/
    I'm referring to the initial point of entry of the explolt itself:

    Flame Virus: The Basics
    http://tech-authors.com/flame-virus-faqs-answered/

    Analysis has been difficult, but the ususal methods are suspected:

    The latter is a good possibility:

    http://watchguardsecuritycenter.com/2012/05/31/what-is-the-flame-worm-and-should-i-worry-about-it/
    ----
    rich
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The MD5 collision is how it initially infects systems.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hmm.. That was not my understanding. From what I've read, I had the idea a system would have to be already infected, and then in order not to raise any suspicions, one of Flame's components would let some of the Windows Update files pass, while passing some bogus ones, making the user believe it was a legitimate update, due to being digitally signed by Microsoft (due to MD5 collision).

    There's a patient zero. If you make patient zero a non-reality, then there's no spreading.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Well, I've missed something. Can you site a source for this?

    My understanding is that a network needs a hosted machine infected with Flame. That machine intercepts the Windows Update call from other machines on the network. At that point, the trickery comes into play. This is from a week ago, so you may have more current information:


    http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
    Jun 7, 2012

    ----
    rich
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ah, for the network the initial exploitation may be some other method. But Windows Update/the collision is the exploit used to get onto other systems.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    OK, I understand how you are seeing this.

    My interest is in the initial exploitation on the network, for if that were prevented, none of this collision stuff would be able to happen.


    ----
    rich
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, but when you consider patient zero, what's so new that's so scary? The initial focus can be stopped with proper security measures (including human measures).
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Well said!


    ----
    rich
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Patient zero isn't exactly all that important. If all it takes is infecting one person to get it started it really doesn't matter who it is, they'll get hacked. At that point the entire network is compromised because of the multiple methods of infection this thing uses, including the MD5 collision and various exploit that, at the time, were probably zero days (though I don't remember/ am literally too lazy to google and check.)
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, it matters. It's the patient zero that matters, actually. If there's no patient zero, Flame is nothing but a hype. Just because there are stupid people everywhere, including certain organizations, that doesn't necessarily give any credit to the malware/attacker in question.

    -edit-

    If nothing else, the only great thing that this shows, is that certain people don't mind spending lots of money to attack certain parties. But, the same is not to say that clever people cannot do anything about it. Also, an exploit doesn't necessarily equal an infection.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think the first person really matters the least. The ability to infect any random person is not impressive. There will always be someone willing to click a link, someone with an unpatched system, someone who walks away from their laptop int eh starbucks, whatever. It doesn't matter if *you* are secure, because they aren't, and they can be anyone.

    There will always be the patient zero. There isn't a situation where they don't exist becuase someone is always vulnerable and that's all it takes to spread.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're not understanding. One thing is people existing who aren't aware of such things, and how to stop them. Another one entirely different is that it's possible to stop it. Period. Stupid people existing doesn't change that, at all. It only means there are stupid people everywhere.

    And, what you're saying is actually what we all know. If there aren't any stupid people and no unaware people, then Flame would be a piece of crap. At least, with its current design. They would have the need to find other exploitable ways; but, even then, we'd have to see if it could/couldn't be prevented.

    @ Everyone

    Please, be aware that I'm calling stupid to people within organizations that should be able to secure their networks. In this case, they are stupid.
     
  25. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    When Windows update is set to manual/notify mode does it push itself as a MS update? What name does it use? Just a generic KB number that doesn't exist? Or does it appear as the actual filename itself which would pass thru if people couldn't care to check?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.