dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8020

chachazz
Premium Member
join:2003-12-14

1 recommendation

chachazz to Name Game

Premium Member

to Name Game

Re: Emergency Bulletin: Unauthorized Certificate used in "F

Security Advisory 2718704: Update to Phased Mitigation Strategy
quote:
The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.

To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment. We will provide more information on the timing of the additional hardening to Windows Update in the near future.
redwolfe_98
Premium Member
join:2001-06-11

1 recommendation

redwolfe_98 to Name Game

Premium Member

to Name Game
here is a related article from kaspersky's "securelist":

»www.securelist.com/en/bl ··· entified

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by redwolfe_98:

here is a related article from kaspersky's "securelist":

»www.securelist.com/en/bl ··· entified

Good read.

Thanks.

So, it looks like the user's browser proxy settings must be set to Auto for this infection to spread.

I can't think of any of my 3000 PCs or few hundred servers that fit that criteria.

Dave

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Here is some more info if you are interested..

»Re: F-Secure's CRO: Why We Didn't Catch Stuxnet & Flame

»Re: F-Secure's CRO: Why We Didn't Catch Stuxnet & Flame

therube
join:2004-11-11
Randallstown, MD

therube to workablob

Member

to workablob
quote:
it looks like the user's browser proxy settings must be set to Auto for this infection to spread
Explain further if you would?
So this is different from a (home) users browser "proxy" setting selection (most often, none)?
This would be more typical on a larger organizations network? And they would need to have a PAC specifically defined, though set to "Auto" rather then site specific settings?

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by therube:

quote:
it looks like the user's browser proxy settings must be set to Auto for this infection to spread
Explain further if you would?
So this is different from a (home) users browser "proxy" setting selection (most often, none)?
This would be more typical on a larger organizations network? And they would need to have a PAC specifically defined, though set to "Auto" rather then site specific settings?

Whether you're in a corp domain or a workgroup if you have your IE or other browsers proxy set to Automatic its proxy discovery can be intercepted by the malicious PC.

That's what I read out of it.

Dave

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Flame uses NBNS spoofing to poison WPAD requests.

Is it time to get rid of NetBIOS?
»isc.sans.edu/diary.html? ··· id=12454

Hmmmm..you know it reminds me of the following Advisory back in 2009...click on the link and then click on the + for "Frequently Asked Questions" and have a good read.

Microsoft Security Advisory (974926)
Credential Relaying Attacks on Integrated Windows Authentication
Published: Tuesday, December 08, 2009
»technet.microsoft.com/en ··· y/974926
mysec
Premium Member
join:2005-11-29

1 recommendation

mysec to Name Game

Premium Member

to Name Game
Details of the attack:

Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code
»www.wired.com/threatleve ··· ificate/

Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.

If the ruse works, a malicious file called WuSetupV.exe gets deposited on the machine. Since the file is signed with a fake Microsoft certificate, it appears to the user to be legitimate, and therefore the user's machine allows the program to run on the machine without issuing a desktop warning.


So, WuSetupV.exe has to get deposited on the machine before anything else can happen.

Well, if the machine checks for White Listed executables (those already installed on the machine) then this "malicious file WuSetupV.exe " will be blocked:




End of exploit. (One can speak only for herself/himself, of course.)

----
rich

therube
join:2004-11-11
Randallstown, MD

therube

Member

Exactly.

StuartMW
Premium Member
join:2000-08-06

StuartMW to Name Game

Premium Member

to Name Game
said by Name Game:

Is it time to get rid of NetBIOS?

I did that a while ago as per the link.I don't miss it at all.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to mysec

Premium Member

to mysec
So are you telling me Flame is out there.....but it's impotent.

Hmm..I will have to find another explanation for my feet.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

What a croc!

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Well guess you are right....I might have too many CA now between my ankles and big toes..but I can still surf in shark infested waters and make it back to the haven of DSLR Security Forum.
mysec
Premium Member
join:2005-11-29

mysec to Name Game

Premium Member

to Name Game
Assuming the user is not already infected, the attack would seem to require this scenario:

Flame malware hijacks Windows Update to spread from PC to PC
»arstechnica.com/security ··· opogate/

Flame components known as "Gadget" and "Munch" allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware,



----
rich

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Yup.. Well Rmus I don't think many are using Anti-Executable from Faronics. Really liked the processguard too. Still have old copies of all that stuff from the days at Wilders. Fun times. 007 was wrong...Diamonds are not forever...but they still sparkle.

Whitelists at one time even had a better feeling than AV's.
OZO
Premium Member
join:2003-01-17

OZO to Name Game

Premium Member

to Name Game
Win XP is here. I don't see "Microsoft Enforced Licensing Intermediate PCA" certificate in my "Intermediate Certification Authorities" list.

Which exactly certificates are revoked? How to find them in the list?

I want to see them before they will be removed.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

This might help..and what version of XP..do you have it up to SP3?

»Re: Emergency Bulletin: Unauthorized Certificate used in "F
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

I have both, SP3 and SP2.

In the link provided I can't find the exact list of 3 intermediate certificates, that should be removed.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

doubt you will find squat on the SP2..you might on the Sp3 if you have been updating it all along...anyway this is the stuff

Certification path of the certificate that was used to sign WUSetupV.exe used by the Flame malware.
»twitpic.com/9sqhqh/full
Name Game

Name Game to OZO

Premium Member

to OZO
Oz,
As I recall even with SP3 upgrade..the Update to the Root certificates was optional

XP SP3 Update Pack Contents

»xable.net/xp-sp3-update- ··· nts.html

931125 - Update for Root Certificates

»support.microsoft.com/kb/931125
Name Game

1 recommendation

Name Game

Premium Member

Root Update Package (intended for Windows XP only)
For users who are running Windows XP, the root update package will update the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. The file is updated periodically to add or remove root certificates or CAs from distribution by the Program.

Root Update Package via the Microsoft Download Center

The file is available for download from the Microsoft Download Center:

Update for Root Certificates [April 2012] (KB931125)
»www.microsoft.com/downlo ··· d5dce2ef

______________________________________

Windows XP

Windows XP does not fully support the automatic root update mechanism: when a root certificate is already present on a user’s system, it will not be updated even if the copy of the root certificate available on Microsoft Update has changed. Windows XP also does not support the weekly pre-fetching of certificate properties from Microsoft Update feature, and the only way to install new root certificate properties on Windows XP is by installing the root update package.

It is recommended that users running Windows XP download and install the root update package to update their root certificates. Root certificates are delivered for Windows XP via Microsoft Update as an optional root update package – an executable that contains every root certificate that is distributed by the Windows Root Certificate Program. Windows XP users can opt to download the package each time it is updated and presented by Microsoft Update, or they can opt to download the root update packages automatically when they are updated. The optional root update package is updated approximately 3-4 times per year, or every quarter.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, visit the following Web site:

»technet.microsoft.com/en ··· 160.aspx
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thank you, Name Game See Profile.

When those 3 "rogue" certificates were installed as "Intermediate Certification Authorities"? Recently? I don't see them in both XP SP2 and SP3 computers. And what are the names of those certificates exactly?

I'm not in a rush to invalidate those 3 certificates (I guess no one is going to put Flame on my computers ). But I'm more interested in finding out those certificates before removing any of them. So, if someone has not updated their computers yet - do you see those 3 certs?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Click for full size
WinXp Sp3 not here either..and not updated and I have no intnetions of doing so on this box
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

From the limited information provided here you should look at "Intermediate Certification Authorities" list (next tab to the left), not in the "Trusted Root Certification Authorities" list.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Nope..nothing like it in there..but then I don't update the root on XP...
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thanks. At this point I'm more interested in finding out when and how those certificates were installed on my computers (if they were at all) and how it's even possible, rather than in promptly removing those 3 certs. It's mostly for a future security of my computers. To make sure that it will not happen again tomorrow... That's more important than anything else now.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game

Premium Member

I understand..and will tell you they are not on my win7 machines either...but I realize where you are coming from in your desire to track it all down. win7 is using IE9 and that win XP sp3 had IE8.

BTW..in my reading on this..think I remember these bad certs were sometime in 2010.

This signing time »twitpic.com/9sqhqh/full

Certificate of the malicious update module of the Flame malware. "Microsoft LSRA PA"
»pinterest.com/pin/116109 ··· 9770638/

The certificate purports to be issued by "Microsoft LSRA PA" and issued to "MS":

The validity date of the certificate had already expired earlier this year, on February 19, 2012, as seen in the image below:
»www.microsoft.com/securi ··· e.B!cert
Name Game

Name Game

Premium Member

Good read here...

Tech behind Flame attack could compromise Microsoft Update

Permit me to translate that into English.

A "cryptographic collision attack" is a brute-force approach to cracking a hashing method, where the attacker guesses at a whole bunch of input strings, runs the hashing algorithm, and compares the result to the real hash. If the hashes match, then the original strings matched. Sophisticated guessing techniques can be employed, but in general cracking not one, but three original Microsoft certificates must've taken eons of computing time. There's still a lot of confusion about exactly how the Flame folks used the collision attack. Microsoft's statement is subject to a lot of interpretation. Dan Goodin has an analysis on Ars Technica.
»arstechnica.com/security ··· -attack/
As Microsoft rightly notes, just having the certs isn't good enough. In order to subvert WSUS/Windows Update for a site, the person with the cracked certs has to be able to insert themselves between the site's network and the Microsoft update servers: a man-in-the-middle attack. In some countries, that's certainly possible for any organization that has influence over local DNS servers. In general, though, it's a highly nontrivial exercise.

But working inside a network, man-in-the-middle may not be so difficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on a network with one Flame-infected machine were getting infected "in a very suspicious manner. When a machine tries to connect to Microsoft's Windows Update.

»www.infoworld.com/t/hack ··· e-194867
Name Game

Name Game to OZO

Premium Member

to OZO
said by OZO:

Thanks. At this point I'm more interested in finding out when and how those certificates were installed on my computers (if they were at all) and how it's even possible, rather than in promptly removing those 3 certs. It's mostly for a future security of my computers. To make sure that it will not happen again tomorrow... That's more important than anything else now.

OZ I think you will like this info..and there is a manual patch method given

»isc.sans.edu/diary/Micro ··· e+/13366
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thanks for the link. From that link I found this article - Microsoft certification authority signing certificates added to the Untrusted Certificate Store. And finally the article mentions 3 rogue certificates:
Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by  - Microsoft Root Authority
Thumbprint - 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
 
Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by  - Microsoft Root Authority
Thumbprint - 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
 
Certificate - Microsoft Enforced Licensing Registration Authority CA (SHA1)
Issued by  - Microsoft Root Certificate Authority
Thumbprint - fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
 

I can't find any of them in my WXP computers.

Questions:
1. What is the point of applying the patch, if computers don't have those certificates?
2. How and when do they appear in computers? Who put them there? Microsoft?
3. How to make sure that next generation of such rogue certificates will never be planted into computers again?