Windows Update compromised
Source: Symantec The developers of the Flame superspy managed something that had previously only been imagined by experienced security experts in their sketches of catastrophe scenarios: using the integrated Windows Update to infect Windows systems. Symantec's virus researchers have now figured out that Flame managed this feat by using a function in Internet Explorer that automatically detects proxy servers in a local network.
Internet Explorer (IE) uses the Web Proxy Auto-Discovery Protocol (WPAD) to detect any proxy servers that may be in the local network and tries to access the wpad.dat configuration file from a machine called wpad within the same domain. IE first requests wpad's IP address via the DNS server but will use a NetBIOS broadcast if the DNS server doesn't have anything registered.
Snack, a Flame component, lurks on the already infected system waiting for exactly this kind of request, which it then answers, claiming to be the "wpad" computer. Snack then sends the potential victim a wpad.dat file that has the already infected system's IP as the proxy. Munch, the Flame proxy, starts handling the incoming data traffic at this point, simply letting most of it through to minimise suspicion.
The malware does, however, reroute certain queries. Attempts to connect to Windows Update, for example, get sent to the Gadget component, which then makes it appear as though a system update is available. If the victim tries to download the supposed update, Gadget sends the Tumbler infection program to the targeted computer, which executes it without complaint.
The targeted machine believes that Tumbler is a legitimate system update because it has been signed with a valid certificate from Microsoft. The developers of Flame apparently managed to get the certificate thanks to a lapse in Microsoft's security. The company seems to have still been using MD5 hashes – which have been considered insecure for some time now – to sign certificates for a service for corporate clients. The parties behind the virus were most likely able to use a collision attack with this lapse to issue a fake certificate that could be used to sign malicious code.
Tumbler checks whether the system has an anti-virus program before it downloads the actual Flame malware from the computer that was first infected. Pieces of this method were already well-known: in 2009, for instance, a security expert described how a machine could use WPAD and NetBIOS to pass itself off as a proxy to other computers in the network. Collision attacks on SSL certificates are also nothing new.
But it was the developers of Flame who finally managed to put the puzzle together once they discovered the vulnerable algorithm in Microsoft's infrastructure that issued the required certificates. Microsoft's first reaction was to issue an emergency patch that revokes trust in the affected sub-CAs so that Windows no longer falls for the fake updates.
The company also wants to take more precautions in order to continue to expand Windows Update's security. There's not much danger of being infected with malicious code via Windows Update if you're in Europe or the US, since Flame is a spying tool that, as far as we know, was mostly used in the Middle East and only for very specific purposes.