Windows Update is Microsoft’s tried-and-true technique of distributing safety patches to guard computer systems around the globe from malicious code.
Nevertheless, researchers investigating the mysterious Flame virus have found that the virus can unfold by hijacking that exact same system — inserting itself into the Windows Update course of to unfold malicious code throughout a community.
The revelation comes on high of the sooner information that the virus creators exploited a flaw in a Microsoft cryptography algorithm to create a counterfeit digital signature, making it appear as if the malicious code got here from Microsoft.
In different phrases, to the pc being contaminated, it seems to be as if it’s receiving a standard replace from Microsoft, by means of the conventional replace course of — when, in actual fact, neither of these issues is true.
That is referred to as a man-in-the-middle assault, and the truth that somebody has pulled it off with Windows Update is an eye-opener, to say the least. The silver lining is that it’s a slim assault, focusing on computer systems in Iran and different elements of the Center East.
Nevertheless, researchers are describing it as an unsettling precedent, and a possible nightmare.
“Having a Microsoft code signing certificates is the Holy Grail of malware writers. This has now occurred,” writes F-Safe’s chief analysis officer, Mikko Hypponen, in a post explaining how the process works. “I suppose the excellent news is that this wasn’t performed by cyber criminals considering monetary profit. They may have contaminated thousands and thousands of computer systems. As a substitute, this system has been utilized in focused assaults, probably launched by a Western intelligence company.”
Microsoft over the weekend launched an emergency security update to dam software program utilizing the bogus digital signatures — those that made the nasty code look like approved by Microsoft — and glued the bug that allowed the signatures to be created.
In a follow-up post yesterday acknowledging the most recent revelations, Microsoft’s Safety Response Heart wrote that the corporate could be taking extra steps “to additional harden Windows Update” in opposition to these sorts of assaults. The put up by MSRC senior director Mike Reavey famous (emphasis added) …
The Flame malware used a cryptographic collision assault together with the terminal server licensing service certificates to signal code as if it got here from Microsoft. Nevertheless, code-signing with out performing a collision can also be doable. That is an avenue for compromise that could be used by extra attackers on prospects not initially the main focus of the Flame malware. In all circumstances, Windows Update can solely be spoofed with an unauthorized certificates mixed with a man-in-the-middle assault.
Aleks Gostev of Kaspersky Lab has a detailed technical explanation here, noting that the hijacking of Windows Update spreads the Flame virus throughout a community by leveraging a machine that has already been compromised.
Gostev explains, “When a machine tries to connect with Microsoft’s Windows Update, it redirects the connection by means of an contaminated machine and it sends a pretend, malicious Windows Update to the consumer.”
He says the preliminary an infection may nonetheless be taking place by exploiting “zero-day” vulnerabilities, identified safety holes for which patches aren’t but obtainable.
Gostev notes that the newest revelations verify Kaspersky’s preliminary perception that Flame is “some of the fascinating and sophisticated malicious applications now we have ever seen.”