1 recommendation |
to Name Game
Re: Emergency Bulletin: Unauthorized Certificate used in "FSecurity Advisory 2718704: Update to Phased Mitigation Strategyquote: The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.
To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that updates worldwide deployment. We will provide more information on the timing of the additional hardening to Windows Update in the near future.
|
|
1 recommendation |
to Name Game
here is a related article from kaspersky's "securelist": » www.securelist.com/en/bl ··· entified |
|
|
Good read. Thanks. So, it looks like the user's browser proxy settings must be set to Auto for this infection to spread. I can't think of any of my 3000 PCs or few hundred servers that fit that criteria. Dave |
|
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
|
|
therube join:2004-11-11 Randallstown, MD |
to workablob
quote: it looks like the user's browser proxy settings must be set to Auto for this infection to spread
Explain further if you would? So this is different from a (home) users browser "proxy" setting selection (most often, none)? This would be more typical on a larger organizations network? And they would need to have a PAC specifically defined, though set to "Auto" rather then site specific settings? |
|
|
said by therube:quote: it looks like the user's browser proxy settings must be set to Auto for this infection to spread
Explain further if you would? So this is different from a (home) users browser "proxy" setting selection (most often, none)? This would be more typical on a larger organizations network? And they would need to have a PAC specifically defined, though set to "Auto" rather then site specific settings? Whether you're in a corp domain or a workgroup if you have your IE or other browsers proxy set to Automatic its proxy discovery can be intercepted by the malicious PC. That's what I read out of it. Dave |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Flame uses NBNS spoofing to poison WPAD requests. Is it time to get rid of NetBIOS? » isc.sans.edu/diary.html? ··· id=12454Hmmmm..you know it reminds me of the following Advisory back in 2009...click on the link and then click on the + for "Frequently Asked Questions" and have a good read. Microsoft Security Advisory (974926) Credential Relaying Attacks on Integrated Windows Authentication Published: Tuesday, December 08, 2009 » technet.microsoft.com/en ··· y/974926 |
|
mysec Premium Member join:2005-11-29
1 recommendation |
to Name Game
Details of the attack: Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code » www.wired.com/threatleve ··· ificate/Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.
If the ruse works, a malicious file called WuSetupV.exe gets deposited on the machine. Since the file is signed with a fake Microsoft certificate, it appears to the user to be legitimate, and therefore the user's machine allows the program to run on the machine without issuing a desktop warning. So, WuSetupV.exe has to get deposited on the machine before anything else can happen. Well, if the machine checks for White Listed executables (those already installed on the machine) then this "malicious file WuSetupV.exe " will be blocked:
End of exploit. (One can speak only for herself/himself, of course.)
---- rich
|
|
therube join:2004-11-11 Randallstown, MD |
Exactly. |
|
|
to Name Game
said by Name Game:Is it time to get rid of NetBIOS? I did that a while ago as per the link.I don't miss it at all. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to mysec
So are you telling me Flame is out there.....but it's impotent. Hmm..I will have to find another explanation for my feet. |
|
|
StuartMW
Premium Member
2012-Jun-5 1:41 pm
What a croc! |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Well guess you are right....I might have too many CA now between my ankles and big toes..but I can still surf in shark infested waters and make it back to the haven of DSLR Security Forum. |
|
mysec Premium Member join:2005-11-29 |
to Name Game
Assuming the user is not already infected, the attack would seem to require this scenario: Flame malware hijacks Windows Update to spread from PC to PC » arstechnica.com/security ··· opogate/Flame components known as "Gadget" and "Munch" allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware, ---- rich |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Yup.. Well Rmus I don't think many are using Anti-Executable from Faronics. Really liked the processguard too. Still have old copies of all that stuff from the days at Wilders. Fun times. 007 was wrong...Diamonds are not forever...but they still sparkle.
Whitelists at one time even had a better feeling than AV's. |
|
OZO Premium Member join:2003-01-17 |
to Name Game
Win XP is here. I don't see "Microsoft Enforced Licensing Intermediate PCA" certificate in my "Intermediate Certification Authorities" list.
Which exactly certificates are revoked? How to find them in the list?
I want to see them before they will be removed. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
This might help..and what version of XP..do you have it up to SP3? » Re: Emergency Bulletin: Unauthorized Certificate used in "F |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2012-Jun-5 4:11 pm
I have both, SP3 and SP2.
In the link provided I can't find the exact list of 3 intermediate certificates, that should be removed. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 1 edit |
doubt you will find squat on the SP2..you might on the Sp3 if you have been updating it all along...anyway this is the stuff Certification path of the certificate that was used to sign WUSetupV.exe used by the Flame malware. » twitpic.com/9sqhqh/full |
|
Name Game |
to OZO
Oz, As I recall even with SP3 upgrade..the Update to the Root certificates was optional XP SP3 Update Pack Contents » xable.net/xp-sp3-update- ··· nts.html931125 - Update for Root Certificates » support.microsoft.com/kb/931125 |
|
Name Game
1 recommendation |
Root Update Package (intended for Windows XP only) For users who are running Windows XP, the root update package will update the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. The file is updated periodically to add or remove root certificates or CAs from distribution by the Program. Root Update Package via the Microsoft Download Center The file is available for download from the Microsoft Download Center: Update for Root Certificates [April 2012] (KB931125) » www.microsoft.com/downlo ··· d5dce2ef______________________________________ Windows XP Windows XP does not fully support the automatic root update mechanism: when a root certificate is already present on a users system, it will not be updated even if the copy of the root certificate available on Microsoft Update has changed. Windows XP also does not support the weekly pre-fetching of certificate properties from Microsoft Update feature, and the only way to install new root certificate properties on Windows XP is by installing the root update package. It is recommended that users running Windows XP download and install the root update package to update their root certificates. Root certificates are delivered for Windows XP via Microsoft Update as an optional root update package an executable that contains every root certificate that is distributed by the Windows Root Certificate Program. Windows XP users can opt to download the package each time it is updated and presented by Microsoft Update, or they can opt to download the root update packages automatically when they are updated. The optional root update package is updated approximately 3-4 times per year, or every quarter. For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, visit the following Web site: » technet.microsoft.com/en ··· 160.aspx |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2012-Jun-5 4:53 pm
Thank you, Name Game . When those 3 "rogue" certificates were installed as "Intermediate Certification Authorities"? Recently? I don't see them in both XP SP2 and SP3 computers. And what are the names of those certificates exactly? I'm not in a rush to invalidate those 3 certificates (I guess no one is going to put Flame on my computers ). But I'm more interested in finding out those certificates before removing any of them. So, if someone has not updated their computers yet - do you see those 3 certs? |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
WinXp Sp3 not here either..and not updated and I have no intnetions of doing so on this box |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2012-Jun-5 5:47 pm
From the limited information provided here you should look at "Intermediate Certification Authorities" list (next tab to the left), not in the "Trusted Root Certification Authorities" list. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Nope..nothing like it in there..but then I don't update the root on XP... |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2012-Jun-5 6:15 pm
Thanks. At this point I'm more interested in finding out when and how those certificates were installed on my computers (if they were at all) and how it's even possible, rather than in promptly removing those 3 certs. It's mostly for a future security of my computers. To make sure that it will not happen again tomorrow... That's more important than anything else now. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 2 edits |
I understand..and will tell you they are not on my win7 machines either...but I realize where you are coming from in your desire to track it all down. win7 is using IE9 and that win XP sp3 had IE8. BTW..in my reading on this..think I remember these bad certs were sometime in 2010. This signing time » twitpic.com/9sqhqh/fullCertificate of the malicious update module of the Flame malware. "Microsoft LSRA PA" » pinterest.com/pin/116109 ··· 9770638/The certificate purports to be issued by "Microsoft LSRA PA" and issued to "MS": The validity date of the certificate had already expired earlier this year, on February 19, 2012, as seen in the image below:» www.microsoft.com/securi ··· e.B!cert |
|
Name Game |
Good read here... Tech behind Flame attack could compromise Microsoft UpdatePermit me to translate that into English. A "cryptographic collision attack" is a brute-force approach to cracking a hashing method, where the attacker guesses at a whole bunch of input strings, runs the hashing algorithm, and compares the result to the real hash. If the hashes match, then the original strings matched. Sophisticated guessing techniques can be employed, but in general cracking not one, but three original Microsoft certificates must've taken eons of computing time. There's still a lot of confusion about exactly how the Flame folks used the collision attack. Microsoft's statement is subject to a lot of interpretation. Dan Goodin has an analysis on Ars Technica. » arstechnica.com/security ··· -attack/As Microsoft rightly notes, just having the certs isn't good enough. In order to subvert WSUS/Windows Update for a site, the person with the cracked certs has to be able to insert themselves between the site's network and the Microsoft update servers: a man-in-the-middle attack. In some countries, that's certainly possible for any organization that has influence over local DNS servers. In general, though, it's a highly nontrivial exercise. But working inside a network, man-in-the-middle may not be so difficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on a network with one Flame-infected machine were getting infected "in a very suspicious manner. When a machine tries to connect to Microsoft's Windows Update. » www.infoworld.com/t/hack ··· e-194867 |
|
Name Game |
to OZO
said by OZO:Thanks. At this point I'm more interested in finding out when and how those certificates were installed on my computers (if they were at all) and how it's even possible, rather than in promptly removing those 3 certs. It's mostly for a future security of my computers. To make sure that it will not happen again tomorrow... That's more important than anything else now. OZ I think you will like this info..and there is a manual patch method given » isc.sans.edu/diary/Micro ··· e+/13366 |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2012-Jun-6 1:39 am
Thanks for the link. From that link I found this article - Microsoft certification authority signing certificates added to the Untrusted Certificate Store. And finally the article mentions 3 rogue certificates: Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by - Microsoft Root Authority
Thumbprint - 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by - Microsoft Root Authority
Thumbprint - 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Certificate - Microsoft Enforced Licensing Registration Authority CA (SHA1)
Issued by - Microsoft Root Certificate Authority
Thumbprint - fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
I can't find any of them in my WXP computers. Questions: 1. What is the point of applying the patch, if computers don't have those certificates? 2. How and when do they appear in computers? Who put them there? Microsoft? 3. How to make sure that next generation of such rogue certificates will never be planted into computers again? |
|