Kaspersky Finds New Man-In-The-Middle Attack Within The Flame Worm

By Ken Presti
June 04, 2012 5:53 PM ET

Page 1 of 2

Since the middle of last week, researchers at Kaspersky have expressed concern about the potential for a zero-day vulnerability in Flame.

The company has now identified two modules within the code that appear to set-up that type of attack. The two modules, named "Gadget" and "Munch" can apparently work together to implement what Kaspersky calls "an interesting man-in-the-middle attack against other computers on the network."

When a machine tries to connect to Microsoft’s Windows Update, the "Munch" module redirects the connection through an infected machine and sends a fake, malicious Windows update to the client, using a server called "MSHOME-F3BE293C." But in order for this attack to work, the machines need to have their System Proxy settings configured to "Auto," according to Kaspersky.

[Related: New Worm Challenges Industry]

On Sunday, Microsoft released a rare weekend security advisory reporting that unauthorized digital certificates, linked to Flame, have been identified. According to the company’s alert, certificates issued by Microsoft’s Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as originating from Microsoft. This vulnerability is now being closed through a special software update that is now available through Windows Update and Automatic Updates. Also, the practice of issuing certificates usable for code signing via the Terminal Services activation and licensing process has now been discontinued.

According to Kaspersky, Flame-infected computers use a default configuration that includes five command-and-control server domains. After validating Internet access by attempting to contact Microsoft.com and Versign.com over an SSL connection, the malware attempts to contact any of 11 command-and-control domains. Another 69 domains appear to be at least loosely connected to command-and-control, thereby bringing the total to 80. Most are registered by individuals using fake identities, with registrations going as far back as 2008. Many of the forged identities list fabricated addresses in Germany and Austria, but a number of the servers hosting Flame have been moved among a variety of countries, including Hong, Kong, Latvia, Malaysia, Poland, Switzerland and Turkey.

Flame also maintains a log of its activities which includes information on server connections, and times at which those contacts were made.

NEXT: Security Experts Warn Of Extensive Threat

1 | 2 | Next >>

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	Data Breach Costs: 10 Ways You're Making It Worse A little planning and avoiding these 10 costly missteps can help mitigate the impact of a data security breach, according to the Ponemon Institute's latest research.
	More Slide Shows