Kaspersky Finds New Man-In-The-Middle Attack Within The Flame Worm

Printer-friendly version Email this CRN article

Since the middle of last week, researchers at Kaspersky have expressed concern about the potential for a zero-day vulnerability in Flame.

The company has now identified two modules within the code that appear to set-up that type of attack. The two modules, named "Gadget" and "Munch" can apparently work together to implement what Kaspersky calls "an interesting man-in-the-middle attack against other computers on the network."

When a machine tries to connect to Microsoft’s Windows Update, the "Munch" module redirects the connection through an infected machine and sends a fake, malicious Windows update to the client, using a server called "MSHOME-F3BE293C." But in order for this attack to work, the machines need to have their System Proxy settings configured to "Auto," according to Kaspersky.

[Related: New Worm Challenges Industry]

On Sunday, Microsoft released a rare weekend security advisory reporting that unauthorized digital certificates, linked to Flame, have been identified. According to the company’s alert, certificates issued by Microsoft’s Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as originating from Microsoft. This vulnerability is now being closed through a special software update that is now available through Windows Update and Automatic Updates. Also, the practice of issuing certificates usable for code signing via the Terminal Services activation and licensing process has now been discontinued.

According to Kaspersky, Flame-infected computers use a default configuration that includes five command-and-control server domains. After validating Internet access by attempting to contact Microsoft.com and Versign.com over an SSL connection, the malware attempts to contact any of 11 command-and-control domains. Another 69 domains appear to be at least loosely connected to command-and-control, thereby bringing the total to 80. Most are registered by individuals using fake identities, with registrations going as far back as 2008. Many of the forged identities list fabricated addresses in Germany and Austria, but a number of the servers hosting Flame have been moved among a variety of countries, including Hong, Kong, Latvia, Malaysia, Poland, Switzerland and Turkey.

Flame also maintains a log of its activities which includes information on server connections, and times at which those contacts were made.

NEXT: Security Experts Warn Of Extensive Threat

Printer-friendly version Email this CRN article