>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
As part of its monthly “Patch Tuesday” security updates for June, Microsoft announced changes in how Windows manages certificates. These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a huge impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution—especially if they haven’t followed best practices for certificates in the past…
(via Flame malware hijacks Windows Update to spread from PC to PC | Ars Technica)
The certification path of the certificate used to sign WuSetupV.exe, which masquerades as a legitimate Windows Update from Microsoft.
The Flame espionage malware targeting Iranian computers contains code that can completely hijack the Windows update mechanism that Microsoft uses to distribute security patches to hundreds of millions of its users, security researchers said Monday.
Flame components known as “Gadget” and “Munch” allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware, Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. By exploiting weaknesses in Microsoft’s Terminal Server product—and poor key-management decisions made by Microsoft engineers—the Flame architects were able produce cryptographic seals falsely certifying that their malicious wares had been produced by Microsoft.
Microsoft issued an emergency update on Sunday that added three certificate authorities to its list of untrusted certificates, but it’s unclear how useful such measures will be at repairing the damage. Company officials have yet to acknowledge the susceptibility of the update process or to provide guidance for customers whose networks may already be compromised. A representative with Microsoft’s outside PR firm told Ars that Microsoft “doesn’t have anything further to share at this time,” and referred reporters to a series of blog posts that didn’t address these unanswered questions.
According to Kaspersky’s Gostev, Flame attackers have been using the same fraudulent Microsoft certificates to spoof the company’s widely used Windows update mechanism. Other researchers quickly weighed in on the enormity of the attack.
“Having a Microsoft code signing certificate is the Holy Grail of malware writers,” Mikko Hypponen, chief research officer of antivirus provider F-Secure, blogged on Monday. “This has now happened.”
A separate blog post published Monday by Symantec researchers further catalogs the enormous data collection capabilities of Flame. The sheer breadth of functionality and size sets it apart,” Symantec researchers wrote. “Even describing it as an industrial vacuum cleaner does not do it justice.”
The flame modules are able to bypass the legitimate Windows update by setting up a fake server named MSHOME-F3BE293C on networks that host an infected machine. When machines attached to the network run software that advertises itself as an official Microsoft update, the fake server delivers the Flame malware instead, causing those machines to also become infected.
Right now, Microsoft is using its emergency update process to push a patch that mitigates a Windows threat that can hijack the emergency update process. No doubt, end users should install the patch as soon as possible. But it’s naive to think this out-of-band fix will repair the damage done to networks already hit by Flame, at least until Microsoft representatives provide additional guidance.
(via Iran-targeting Flame malware used huge network to steal blueprints | Ars Technica)
Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.
The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday’s disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.
“The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008,” Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. “In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains…”
(via “Flame” malware was signed by rogue Microsoft certificate | Ars Technica)
Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries.
The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities that contained the imprimatur of Microsoft’s own root authority certificate—an extremely sensitive cryptographic seal. Rogue intermediate certificate authorities that contained the stamp were then able to trick administrators and end users into trusting various Flame components by falsely certifying they were produced by Microsoft…
(via Iran Confirms Attack by a Virus That Steals Data - NYTimes.com)
The computer virus known as Flame as shown by the Russian computer security firm Kaspersky Lab.
TEHRAN — The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notoriousStuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.
In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.
Flame, which experts say could be as much as five years old, was discovered by Iranian computer experts. In astatement about Flame on its Web site, Kaspersky Lab, a Russian producer of antivirus software, said that “the complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date.”
The virus bears special encryption hallmarks that an Iranian cyberdefense official said have strong similarities to previous Israeli malware. “Its encryption has a special pattern which you only see coming from Israel,” said Kamran Napelian, an official with Iran’s Computer Emergency Response Team. “Unfortunately, they are very powerful in the field of I.T.”…
