Kaspersky Finds New Man-In-The-Middle Attack Within The Flame Worm

Since the middle of last week, researchers at Kaspersky have expressed concern about the potential for a zero-day vulnerability in Flame.

The company has now identified two modules within the code that appear to set-up that type of attack. The two modules, named "Gadget" and "Munch" can apparently work together to implement what Kaspersky calls "an interesting man-in-the-middle attack against other computers on the network."

When a machine tries to connect to Microsoft’s Windows Update, the "Munch" module redirects the connection through an infected machine and sends a fake, malicious Windows update to the client, using a server called "MSHOME-F3BE293C." But in order for this attack to work, the machines need to have their System Proxy settings configured to "Auto," according to Kaspersky.

[Related: New Worm Challenges Industry ]

On Sunday, Microsoft released a rare weekend security advisory reporting that unauthorized digital certificates, linked to Flame, have been identified. According to the company’s alert, certificates issued by Microsoft’s Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as originating from Microsoft. This vulnerability is now being closed through a special software update that is now available through Windows Update and Automatic Updates. Also, the practice of issuing certificates usable for code signing via the Terminal Services activation and licensing process has now been discontinued.

According to Kaspersky, Flame-infected computers use a default configuration that includes five command-and-control server domains. After validating Internet access by attempting to contact Microsoft.com and Versign.com over an SSL connection, the malware attempts to contact any of 11 command-and-control domains. Another 69 domains appear to be at least loosely connected to command-and-control, thereby bringing the total to 80. Most are registered by individuals using fake identities, with registrations going as far back as 2008. Many of the forged identities list fabricated addresses in Germany and Austria, but a number of the servers hosting Flame have been moved among a variety of countries, including Hong, Kong, Latvia, Malaysia, Poland, Switzerland and Turkey.

Flame also maintains a log of its activities which includes information on server connections, and times at which those contacts were made.

NEXT: Security Experts Warn Of Extensive Threat

Kaspersky has identified more than 20 different server IP addresses, and the five that the company has closely examined appear to be running Ubuntu Linux. The SSL certificates used by the Flame C&C are all self-signed, and the certificate of the last active domain, which was in the Netherlands, seems to have been generated on May 18.

At the moment, Flame infections have been found in 23 countries; the most notable being Iran, with 185 victims. Israel has the second highest number of victims at 95, and the United States currently ranks in sixth place with 11.

PDF documents, Office and AutoCad drawings appear to be heavily targeted by the attackers. Data uploaded to the command-and-control servers are encrypted using relatively simple algorithms.

Kaspersky also notes that the command-and-control infrastructure suddenly went offline last week when news about the Flame malware began to spread, yet the operation somehow remains active.

"Even though the known C&C servers went offline last Monday, we see evidence that some victims have received Flame updates within the past week," Roel Schouwenberg, senior researcher at Kaspersky Labs, said at a news conference this morning. "It is entirely possible that there is an unknown update mechanism. We don’t have all the modules, so there can be something to that."

Security experts describe Flame as one of the most interesting and complex malicious programs they have ever seen. Schouwenberg speculates that Flame’s capabilities might extend beyond cyber-espionage and be able to commit acts of cyber-sabotage, though he stresses that this is still conjecture.

"It’s almost impossible to completely protect your enterprise 100 percent of the time," Schouwenberg said. "So enterprises need to look at their core businesses, determine the things that they most need to protect and invest their resources in those directions."

Dan Hibbard, CTO of OpenDNS, took Schouwenberg’s point one step further. "We need to change the way we think about security," he told the news conference. "Right now, it’s about protection and defense. I think we need to move to the mindset that things will get in, which means we need to think about both preventing, maintaining and deciding what we are going to do when something gets into the network."