Broadband Tech > Security > Security > Emergency Bulletin: Unauthorized Certificate used in "Flame"

reply to Name Game

Re: Emergency Bulletin: Unauthorized Certificate used in "F

Thank you, Name Game .

When those 3 "rogue" certificates were installed as "Intermediate Certification Authorities"? Recently? I don't see them in both XP SP2 and SP3 computers. And what are the names of those certificates exactly?

I'm not in a rush to invalidate those 3 certificates (I guess no one is going to put Flame on my computers ). But I'm more interested in finding out those certificates before removing any of them. So, if someone has not updated their computers yet - do you see those 3 certs?
--
Keep it simple, it'll become complex by itself...

From the limited information provided here you should look at "Intermediate Certification Authorities" list (next tab to the left), not in the "Trusted Root Certification Authorities" list.
--
Keep it simple, it'll become complex by itself...

Nope..nothing like it in there..but then I don't update the root on XP...

Thanks. At this point I'm more interested in finding out when and how those certificates were installed on my computers (if they were at all) and how it's even possible, rather than in promptly removing those 3 certs. It's mostly for a future security of my computers. To make sure that it will not happen again tomorrow... That's more important than anything else now.
--
Keep it simple, it'll become complex by itself...

I understand..and will tell you they are not on my win7 machines either...but I realize where you are coming from in your desire to track it all down. win7 is using IE9 and that win XP sp3 had IE8.

BTW..in my reading on this..think I remember these bad certs were sometime in 2010.

This signing time »twitpic.com/9sqhqh/full

Certificate of the malicious update module of the Flame malware. "Microsoft LSRA PA"
»pinterest.com/pin/11610911509770638/

The certificate purports to be issued by "Microsoft LSRA PA" and issued to "MS":

The validity date of the certificate had already expired earlier this year, on February 19, 2012, as seen in the image below:
»www.microsoft.com/security/porta···e.B!cert

reply to Name Game
Good read here...

Tech behind Flame attack could compromise Microsoft Update

Permit me to translate that into English.

A "cryptographic collision attack" is a brute-force approach to cracking a hashing method, where the attacker guesses at a whole bunch of input strings, runs the hashing algorithm, and compares the result to the real hash. If the hashes match, then the original strings matched. Sophisticated guessing techniques can be employed, but in general cracking not one, but three original Microsoft certificates must've taken eons of computing time. There's still a lot of confusion about exactly how the Flame folks used the collision attack. Microsoft's statement is subject to a lot of interpretation. Dan Goodin has an analysis on Ars Technica.
»arstechnica.com/security/2012/06···-attack/
As Microsoft rightly notes, just having the certs isn't good enough. In order to subvert WSUS/Windows Update for a site, the person with the cracked certs has to be able to insert themselves between the site's network and the Microsoft update servers: a man-in-the-middle attack. In some countries, that's certainly possible for any organization that has influence over local DNS servers. In general, though, it's a highly nontrivial exercise.

But working inside a network, man-in-the-middle may not be so difficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on a network with one Flame-infected machine were getting infected "in a very suspicious manner. When a machine tries to connect to Microsoft's Windows Update.

»www.infoworld.com/t/hacking/tech···e-194867
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to OZO

Thanks for the link. From that link I found this article - Microsoft certification authority signing certificates added to the Untrusted Certificate Store. And finally the article mentions 3 rogue certificates:

Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by  - Microsoft Root Authority
Thumbprint - 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
 
Certificate - Microsoft Enforced Licensing Intermediate PCA
Issued by  - Microsoft Root Authority
Thumbprint - 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
 
Certificate - Microsoft Enforced Licensing Registration Authority CA (SHA1)
Issued by  - Microsoft Root Certificate Authority
Thumbprint - fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97
 

I don't have them on my host XP Pro SP 2 machine with IE6 nor do I have them on my virtual machine with XP Pro SP 2 and IE 8.

The reason I have never gotten »www.microsoft.com/en-us/download···id=29434 or any updates before it for IE Root Certs is because WGA is required. I don't use IE6 at all except for a few speed tests that I trust. On the virtual machine with IE 8, I rarely use it except for the same speed tests. I'm not allowing WGA just to get a Root Certs update for a browser I rarely use.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to OZO
Glad you found what you wanted..as for all your questions..have to pass on this..I am not doing squat myself with these on XP because they are not there in the first place..certainly not concerned about any man in the middle..and don't update XP much these days...but for others I would say..the method for CA is flawed..Flame won't be the last crack at it.

reply to Mele20

reply to Name Game
How Flame forged Certs:

Microsoft speaks out on Flame malware certificate forgery

»nakedsecurity.sophos.com/2012/06···forgery/

Technical details on the exploited Terminal Server Licensing Protocol:

MSRC 2718704 and the Terminal Services Licensing Protocol

»rmhrisk.wpengine.com/?p=52
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

I've been wondering since the story broke what idiots would use MD5 in a cert. The Sophos article you link to says:

"The moral of the story?

Don't use digital certificates which rely on MD5. In fact, avoid MD5 as far as you can."

Remember the SSL Blacklist? I was using his extension for many years on Fx 1.5 that I didn't upgrade until last year to Fx 4.

»codefromthe70s.org/sslblacklist.aspx
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to Name Game
Thanks for the heads up on this, Name Game (And others).
And aways remember...No "flaming" allowed around here!
--
I had a life once.....now I have a Computer and a Modem.

To me it seems more like someone finding Excalibur and being able to wield it.