An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
June 8, 2012 11:13 AM   Subscribe

"Flame" is the name of a newly-identified malware program which utilizes a previously unknown MD5 collision attack to successfully spoof Microsoft Terminal Services, and install itself as a trusted program using Windows Update, Microsoft has confirmed. The program appears to have targeted computers in the Middle East, and specifically Iran; analysts have alleged it is likely created by the same entity that designed Stuxnet. Flame has been live and actively spying since 2010, but went undetected until recently, due to sophisticated anti-detection measures.

While anonymous US officials have claimed responsibility for the program, officially both the USA and Israel have denied any involvement.
posted by mek (52 comments total) 21 users marked this as a favorite
 
What's the likelihood the entity that created this had direct consultation with some salaried folks in Redmond, Washington?

P.S. "Flame" is one letter above lame. Next time you guys are naming these things, PM me and I'll come up with some awesome names... if Weedlord Bonerhitler isn't already in use...
posted by Bathtub Bobsled at 11:19 AM on June 8, 2012 [13 favorites]


If they had Microsoft's help I don't think they would need to use an unknown MD5 collision.
posted by The Lamplighter at 11:21 AM on June 8, 2012 [3 favorites]


Actually, that's a very good point Lamplighter.

Disregard.
posted by Bathtub Bobsled at 11:23 AM on June 8, 2012


A collision attack!? Who could've seen that one coming?
posted by mullingitover at 11:27 AM on June 8, 2012 [2 favorites]


I've been following this the past couple days and I've been particularly interested in how they used the terminal services cert to sign bogus updates. From what I hear, signing bogus updates with a terminal services cert just worked in for older versions of windows but newer versions had additional checks in place. The MD5 collision attack was used to bypass the checks in newer versions.

An additional wrinkle is that Flame has started uninstalling itself after a command was sent out by whoever created it.

It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous.
posted by Ad hominem at 11:29 AM on June 8, 2012 [1 favorite]


I cannot wait for the blowback from this one. The best consequences are always the unintended ones!
posted by mr_roboto at 11:31 AM on June 8, 2012 [6 favorites]


It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous.

That's the downside of working for the NSA...
posted by aspo at 11:31 AM on June 8, 2012 [8 favorites]


That's the downside of working for the NSA...

The upside? Hawaii and rainbows!
posted by rh at 11:35 AM on June 8, 2012 [4 favorites]


The best consequences are always the unintended ones!

Because the US government and Microsoft can work hand-in-hand to backdoor "enemies", it won't be long before all the bad guys just use Linux instead.

Unintended Consequence: Anyone using Linux is possibly a terrorist.

Also, this seems appropriate.
posted by mmrtnt at 11:38 AM on June 8, 2012 [4 favorites]


A collision attack!? Who could've seen that one coming?
From the link:

Do not use the MD5 algorithm
Do not use the MD5 algorithm
Do not use the MD5 algorithm
Do not use the MD5 algorithm
Do not use the MD5 algorithm
Do not use the MD5 algorithm
posted by Talez at 11:41 AM on June 8, 2012 [2 favorites]


I don't think Microsoft worked hand-in-hand on this. Windows update is now completely untrustworthy for millions of machines.
posted by Ad hominem at 11:42 AM on June 8, 2012


mmrtnt: "Unintended Consequence: Anyone using Linux is possibly a terrorist."

More like "Unintended Consequence: Linux is found to be just as buggy and insecure as Windows".
posted by pwnguin at 11:44 AM on June 8, 2012 [4 favorites]


I, for one, welcome the made-for-TV movie about a team of top-secret virus-writing hacker-spies and their thrilling and sexy adventures. Within 3 years. Mark my words. 'Cause this stuff is gold.
posted by BrashTech at 12:00 PM on June 8, 2012 [1 favorite]


Ad hominem:
"It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous."
Why publish any more when you can make a bunch of money?
BTW, that article really worries me.
posted by charred husk at 12:02 PM on June 8, 2012


It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous.

Try infuriating. This is basically math kept secret for reasons of national security.

More like "Unintended Consequence: Linux is found to be just as buggy and insecure as Windows".

Yeah they all the same amirite
posted by JHarris at 12:03 PM on June 8, 2012 [4 favorites]


Really it isn't an issue if Linux or OS X or Openbsd is more secure if your attacker is a federal agency with a near unlimited budget and also full of good will hunting type super-geniuses.
They probably have 0-day exploits ready to go for every OS ever written the same way the DOD just had two hubbles laying around taking up space.
posted by Ad hominem at 12:21 PM on June 8, 2012 [18 favorites]


If the authors of Flame had received help from microsoft, it would never have installed properly.
posted by Stonestock Relentless at 12:21 PM on June 8, 2012 [14 favorites]


Flame is apparently in the process of self-destructing.
posted by sparkletone at 12:25 PM on June 8, 2012 [1 favorite]


If the authors of Flame had received help from microsoft, it would never have installed properly.
It looks like you're trying to subvert a nation state!

Would you like help?

o Get help with subverting the nation state
o Just subvert the nation state without help

□ Don't show me this tip again
posted by Flunkie at 12:28 PM on June 8, 2012 [48 favorites]


Bad news: We probably don't live in a Star Trek future.
Worse news: We definitely live in a William Gibson future.
posted by CBrachyrhynchos at 12:36 PM on June 8, 2012 [4 favorites]


a federal agency with a near unlimited budget and also full of good will hunting type super-geniuses.

I'd suggest that the federal agency enjoys one of those two things.
posted by -harlequin- at 12:38 PM on June 8, 2012 [3 favorites]


It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous.

Unlike all the other household names that published previously.
posted by cjorgensen at 12:50 PM on June 8, 2012 [1 favorite]


cjorgensen, where's your Free Kevin! t-shirt ?
posted by k5.user at 12:54 PM on June 8, 2012


Oh, snap! I'm surprised you restrained yourself from using a dollar sign for the S. Oh, well played indeed.
posted by gilrain at 3:35 PM on June 8


ignorance is bli$$.
posted by quonsar II: smock fishpants and the temple of foon at 1:01 PM on June 8, 2012 [2 favorites]


Do not use the MD5 algorithm

Just wanted to add that wikipedia mentions SHA-2 as a currently acceptable alternative.

I was interested in finding out more about the command and control servers and found this excellent analysis. It's from an analyst at Kaspersky and details the process by which they identified the servers, talks about the malware and compares it to duqu.

Summary and conclusions:
*The Flame command-and-control infrastructure, which had been operating for years, went offline immediately after our disclosure of the malware’s existence last week.
*We identified about 80 total domains which appear to belong to the Flame C&C infrastructure.
*The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
*The attackers seem to have a high interest in PDF documents, Office and AutoCad drawings.
*The data uploaded to the C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
*Flame is using SSH connections (in addition to SSL) to exfiltrate data. The SSH connection is established by a fully integrated Putty-based library.
*Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame

posted by nTeleKy at 1:07 PM on June 8, 2012 [4 favorites]


There are a lot of operating systems and applications that auto-update themselves these days. Each individual update mechanism is basically an attack vector, and every public access point is an opportunity for man-in-the-middle attacks.
posted by Slothrup at 1:30 PM on June 8, 2012 [1 favorite]


I doubt Microsoft would have wanted to do this, or that Siemens would have wanted to co-operate on Stuxnet, but whilst these multinationals have more money than lots of economies, the USA isn't one of those...plus they might want to sell stuff there...
posted by maiamaia at 1:47 PM on June 8, 2012


A problem with the new chyber warfare, is that can unleash weapons that become uncontrolled
posted by Postroad at 2:05 PM on June 8, 2012


It was probably done with Microsoft's help, but not collaboration. Eg, when the agency asks for documentation, or to talk to an engineer, they usually get it, but they don't reveal what they're doing with that information. Oh hey, we're using it to trash your product! Sucks to be you!
posted by -harlequin- at 2:09 PM on June 8, 2012


Flame is apparently in the process of self-destructing.

Pretty much spook SOP, eh?
posted by Mental Wimp at 2:18 PM on June 8, 2012


A problem with the new chyber warfare, is that can unleash weapons that become uncontrolled

Is that really so unlike all other warfare?
posted by phearlez at 2:20 PM on June 8, 2012 [1 favorite]


.."the most powerful weapon today in cyber space is still the propaganda, the chance to use the Internet to spread your message"

This (from Postroad's link). Not to Godwin, but Hitler's success was because he used new technology, radio, film, loud speakers and other forms of modern propaganda, to spread his message. Note the Arab Spring. The "flash mob" is more than a curiosity, the ability to instantly organize many people for a single purpose is like a DOS attack, except with live people as the packets. That's power. Look at what Anonymous has done, hacking to be sure, but it's organized around a single short term goal. There's all sorts of potential for this kind of thing to take off in the near future. The quiet violence of the computer can easily become the violence in the street.
posted by stbalbach at 2:21 PM on June 8, 2012


Can someone page flapjax at midnite and tell him that we need him in this thread to produce a parody of David Bowie's "Fame" called "Flame"?
posted by MattMangels at 2:26 PM on June 8, 2012


If they had Microsoft's help I don't think they would need to use an unknown MD5 collision.

If an entity wanted to maintain plausible deniability of its collusion with Microsoft, I would think it would naturally tend to move away from exploiting flaws in Microsoft's core proprietary codebase -- that would draw attention to the possibility of that collusion -- and instead look for flaws in the more mundane components, like hashes, etc.
posted by bafflegab at 2:28 PM on June 8, 2012


Well there was the infamous NSAKEY in previous versions of Windows. I think it first appeared in an NT 4 service pack. No doubt the NSA has the source code to Windows, I'm not sure if it is true of the most recent versions but you used to be able to license it, that is what allowed things like sysinternals to exist. I might be the naive one but I don't think Microsoft would subvert their own update infrastructure for any reason. The cat is out of the bag now, every malware author out there is probably looking into it right now.
posted by Ad hominem at 2:50 PM on June 8, 2012


Unless this is some Obama style jedi 7 dimension chess and they are trying to destroy all existing versions of Windows to force people onto trusted computing platforms.

My god, it all makes sense. We are through the looking glass here people.
posted by Ad hominem at 2:54 PM on June 8, 2012 [1 favorite]


it would naturally tend to move away from exploiting flaws in Microsoft's core proprietary codebase -- that would draw attention to the possibility of that collusion

As I understand it, there are a surprisingly large number of entities -- including foreign governments like Russia's -- which have access to Windows source code. It is, perhaps, their assurance that there is no US-government trap door in the OS.

But I also think that some people overvalue source code when it comes to finding security problems. I suspect that it's actually easier to work with the binary artifacts directly -- and in fact, security bugs can be introduced during compilation; for instance, by overly aggressive optimization.
posted by Slothrup at 2:59 PM on June 8, 2012


Obama's virus wars: mutually assured cyber-destruction

Mutually assured? Doesn't that mean both sides have the same capability?

There you have it: IRAN IS DEVELOPING CYBER WEAPONS OF MASS DESTRUCTION.
posted by three blind mice at 3:01 PM on June 8, 2012


I'm sure this will result in some kind of spike on attempts at subverting Windows Update, but I don't think that's unusual. Several years ago I interviewed with a group that provides not WU but a service it relies on to verify OS installs, and I got the distinct impression that they had a significant number of staff dedicated to full time firefighting as people constantly were trying to break the APIs.
posted by feloniousmonk at 3:25 PM on June 8, 2012


I think what's most interesting about Flame is that it's actually older than Stuxnet/Duqu. Also the analyses I've read are coming to the conclusion it's a whole separate codebase, albeit with some shared design characteristics. There's more than one espionage malware stack being developed by the US government, that's fascinating. How many more are there?
posted by Nelson at 4:01 PM on June 8, 2012


As I understand it, there are a surprisingly large number of entities -- including foreign governments like Russia's -- which have access to Windows source code. It is, perhaps, their assurance that there is no US-government trap door in the OS.

But I also think that some people overvalue source code when it comes to finding security problems. I suspect that it's actually easier to work with the binary artifacts directly -- and in fact, security bugs can be introduced during compilation; for instance, by overly aggressive optimization.


Though it's implied in your comment, I'll state it outright: having the source means nothing if you don't have the ability to build it. That is, Russia can examine the Windows source code all day long, but if the binary build they're deploying is provided by Microsoft, there isn't any assurance that the binary exactly matches the source. (I'll add as a caveat that I don't believe for a second that Microsoft is directly involved in this or any other such skullduggery.)

You can even go a step further and say that even if they have Microsoft's build environment--and even if they have the source code for Microsoft's build environment--they still can't be sure that what ends up being built is semantically identical to the source code. Ken Thompson: Reflections on Trusting Trust.
posted by kjh at 4:22 PM on June 8, 2012 [1 favorite]


mmrtnt: "The best consequences are always the unintended ones!

Because the US government and Microsoft can work hand-in-hand to backdoor "enemies", it won't be long before all the bad guys just use Linux instead.

Unintended Consequence: Anyone using Linux is possibly a terrorist.

Also, this seems appropriate.
"

Cool, I'm a terrorist now? Add that to my international arms dealer status (crypto export violation as protest) and I am that much closer to a real Bond villian! Even have a fuzzy cat AND a giant monitor! Rest of the lair kinda sucks though.
posted by Samizdata at 9:33 PM on June 8, 2012


Villain, even. Evil does not preclude typos, unfortunately.
posted by Samizdata at 9:37 PM on June 8, 2012


I, for one, welcome the made-for-TV movie about a team of top-secret virus-writing hacker-spies and their thrilling and sexy adventures. Within 3 years. Mark my words. 'Cause this stuff is gold.

"Quick, you need to hack the mainframe!"

"I'm almost in! See all those spinning balls? If I can just navigate my hacker-craft past them, you'll see them turn green--that will mean I have control of their mainframe!"

"Oh no! You'll have to hack faster! The spinning balls are beginning to turn yellow!"

"Quick--you'd better help me hack by typing on the keyboard at the same time as me! Man, this is the toughest mainframe I've ever tried to hack into! I think I might need to undo another button on my blouse so my boobs can cool down from all the hacking they're helping me do."

Or has Hollywood gotten better at writing movies about anything related to computers?
posted by yoink at 8:26 AM on June 9, 2012 [1 favorite]


A former senior Israeli government minister has told us that, just as Sanger confirmed Stuxnet was created in partnership with the IDF's Unit 8200 cyber warfare unit, Flame was created by similar figures in Israel. . The Guardian article seems fairly confident and specific that Flame is both written and used by Israeli entit(ies) but most comments in this thread seem preoccupied with the notion that NSA is somehow responsible. Why is that? Is it reflective of some deeper knowledge or due to conflicting news reporting? Or just cloak-and-dagger fantasies? Am I misunderstanding something?
posted by newdaddy at 2:21 PM on June 9, 2012


It's an easy thought experiment. Big and Mysterious NSA doing something Big and Mysterious, as opposed to Tiny Israel, y'know?
posted by Thistledown at 5:33 AM on June 10, 2012


Back to Stuxnet: the missing link. Kaspersky looks deep into older versions of Stuxnet and finds evidence of shared source code with Flame.
The above conclusions point to the existence of two independent developer teams, which can be referred to as ”Team F” (Flame) and ”Team D” (Tilded). Each of these teams has been developing its own platform since 2007-2008 at the latest.

In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.
posted by Nelson at 8:23 AM on June 11, 2012












« Older Big Wooden Balls   |   When contrarianism attacks Newer »


This thread has been archived and is closed to new comments