Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code

It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday.

To generate their fake certificate, the attackers exploited a vulnerability in a cryptography algorithm that Microsoft uses for enterprise customers to set up Remote Desktop service on machines. The Terminal Server Licensing Service provides certificates with the ability to sign code, which is what allowed the rogue code to be signed as if it came from Microsoft.

Microsoft has provided information to explain how the flaw occurred in its system.

Reavey notes that since Flame is a highly targeted piece of malware that is believed to have infected fewer than 1,000 machines, the immediate risk from Flame is not great. But other attackers could have been exploiting the vulnerability as well. And the fact that this vulnerability existed in the first place is what has security experts all aflame. Code that is officially signed by Microsoft is considered safe by millions of machines around the world, something that put them all at risk.

“The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user,” Andrew Storms, director of security operations for nCircle, told PC World. “It also underscores the delicate and problematic nature of the trust models behind every Internet transaction.”

According to Kaspersky Lab, which discovered the Flame malware about three weeks ago, the certificate is used by a component of Flame called “Gadget” to spread the malware from one infected machine to others on a network. It was the use of this rogue certificate that is believed to have allowed Flame to infect at least one fully patched Windows 7 machine, according to Alexander Gostev, chief security expert at the Lab.

Here’s how it works:

When a machine on a network attempts to connect to Microsoft’s Windows Update service, the connection gets redirected through an infected machine first, which sends a fake, malicious Windows Update to the requesting machine. The fake update claims to be code that will help display gadgets on a user’s desktop.

The fake update looks like this:

“update description=”Allows you to display gadgets on your desktop.”
displayName=”Desktop Gadget Platform” name=”WindowsGadgetPlatform”>

If the ruse works, a malicious file called WuSetupV.exe gets deposited on the machine. Since the file is signed with a fake Microsoft certificate, it appears to the user to be legitimate, and therefore the user’s machine allows the program to run on the machine without issuing a desktop warning.

The Gadget component was compiled by the attackers on Dec. 27, 2010, according to Gostev in a blog post, and was implemented in the malware about two weeks later.

The following is exactly how the process occurs: The infected machine sets up a fake server by the name “MSHOME-F3BE293C”, which hosts a script that serves a full body of the Flame malware to victim machines. This is done by the module called “Munch”.

When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed. The fake update proceeds to download the main body and infect the computer.

The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to “Auto”.

Microsoft has revoked the certificate and fixed the vulnerability via an update. Hopefully, the update will not be man-in-the-middled.

Homepage Photo: Marjan Krebelj/Flickr