Last week, I wrote about a sophisticated new piece of malware called Flame, which infected various organizations in the Middle East. At the time, Antivirus vendors had just begun dissecting this advanced new worm, and expected to unveil even more interesting details about it as time went on. It looks like they won’t disappoint.
Today, two interesting new details have surfaced about Flame. More importantly, one requires a Windows update.
First, late Sunday Microsoft released a blog post and Security Advisory warning that the Flame worm leveraged a previous undiscovered flaw in an older Microsoft cryptographic algorithm. Microsoft’s Terminal Sever Licensing Service previously shipped with an algorithm that allowed you to create certificates and sign code as though it came from Microsoft themselves. Apparently, the Flame worm exploited this fact to sign its code with seemingly legitimate Microsoft certificates, which helps it spread on local networks. More specifically, Flame implements an interesting Man-in-the-Middle (MitM) attack, where it redirects local Windows Update requests through an infected machine. The infected machine then delivers infected “updates” to those new victims. Since the infected update is signed with a perfectly legitimate Microsoft certificate, the victim machine installs the booby-trapped update without any warnings.
Happily, Microsoft has released an update and taken actions to ensure that bad guys can no longer leverage this flawed cryptographic algorithm to generate rogue certificates in the future. They also have revoked the trust associated with two intermediate CA certificates, which prevents your Windows computers from trusting Flame’s rogue certificates. If you are a Windows user, I recommend you download and install this update as soon as you can, or let Windows Automatic Update do it for you.
The second Flame update has to do with its actual age. In my initial post, I shared that Kaspersky suspected the Flame malware had been around since at least March 2010. New information suggests it’s even older. Over the last week, Kaspersky and OpenDNS have collaborated to further analyse Flame, focusing on its command & control (C&C) domains. OpenDNS reports they found at least 85 C&C domains embedded into Flame. More interestingly, the first of these domains was registered as far back as March 2008. This suggests that the Flame attack started two years earlier than first suspected, and also demonstrates just how long advanced malware (or APTs) might hide on a network before being discovered.
This is probably the scariest aspect of these APT malware attacks — that malware can infect protected system and live on those networks for months, or even years, without being noticed. Security experts have long suggested this was possible, but some people have to see it to believe it. So what’s the take away? How about, “visibility is defense.”
As a security industry, we often focus a lot on prevention technologies; things that help keep your network from being breached in the first place. While prevention is very important, the truth is you’ll never block every attack. Even if you have the best network defense in the world, an unsuspecting user could accidentally walk malware through your back door. That’s why administrators also need to focus on visibility tools as part of their security policy. Malware detection, incident handling, and disaster recovery are just as important to security as preventative security controls. If you are not already using graphical network monitors to keep track of what’s happening on your network, start doing so immediately (some of WatchGuard’s real-time monitors can help).
That covers today’s Flame updates. However, I suspect researchers will continue to find interesting new aspects to this headline-grabbing malware for weeks and months to come. I’ll be sure to continue filling you in on the more relevant updates here. — Corey Nachreiner, CISSP (@SecAdept)