Spreading the Flame: Skywiper Employs ‘Windows Update’

Microsoft has issued Security Advisory 2718704, in which the company disclosed that it recently became aware of the Flamer/Skywiper threat, which uses certificates derived from the Microsoft Certificate Authority.

The actual certificate in question was used to sign at least one of the attack components associated with the module in the Skywiper framework.

This is how the digital certificate looks like on the module:

The certificate was valid between February 19, 2010 to February 19, 2012, in the Pacific time zone. (Other certificates might have been issued in a similar manner.)

Clearly, the certificate has been valid for the last two years. In an earlier blog, we hinted that this attack might involve digital certificates on some of its components. It is possible that other components also used digital signatures to carry out variations of this attack.

Further investigation of the downloader component shows that it was compiled on December 27, 2010, also Pacific time.

File Header:

Machine: 014C (i386)

Number of Sections: 0004

TimeDateStamp:      4D1894AE -> Mon Dec 27 07:29:18 2010

A SigCheck from the SysInternals suite shows the following information on the attack component:

Verified:       Signed



Microsoft LSRA PA

Microsoft Enforced Licensing Registration Authority CA

Microsoft Enforced Licensing Intermediate PCA

Microsoft Root Authority

Signing date:   8:54 AM 12/28/2010

Publisher:      n/a

Description:    n/a

Product:        n/a

Version:        n/a

File version:   n/a

The certificate used to sign this file was originally issued by a Terminal Server Licensing Intermediate Certificate Authority. That means the certificate was supposed to be used only to authenticate users connecting to the Terminal Server but, due to a mistake in the CA configuration, it could be used to sign code, too.

Further research from Microsoft says the digital certificate used in the Windows Update attack required a forged certificate to be accepted by Windows Vista and later versions. The configuration error allows the certificate to be used for code signing only in versions prior to Vista. The attacker must to perform a chosen prefix collision attack targeting an MD5 hash to create a forged certificate and make it acceptable for Vista and later. Years ago a paper titled “MD5 Considered Harmful Today” authored by Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger described a very similar attack on x.509 certificates. However in a new presentation on the subject there appear to be key differences in this implementation and is possibly an entirely different work.

Microsoft’s revocation of this Intermediate CA does not affect the trustworthiness of any other certificate issued by Microsoft itself. Only certificates issued to users of Terminal Server would need to have their certificates reissued by their system admins.

To pull off this attack, the worm module creates a server called MSHOME-F3BE293C on the infected machine, and intercepts Windows update requests from nearby machines if the network settings allow a Windows update “proxy” using the Web Proxy Auto-Discovery Protocol. The server supplies a signed executable within CAB packages for Windows Update on the local network. (Such redirection attack opportunities have been discussed publicly, many times.) This step facilitates the infection of the local network, with a very silent, “below the radar” distribution mechanism.

An updated map of Skywiper infections based on our current information looks like this:

The targeted attacks of this threat are limited to a few individuals, organizations, and institutions, with the largest infection numbers reported from Iran.