Windows Update is Microsoft’s tried-and-true method of distributing security patches to protect computers around the world from malicious code.
However, researchers investigating the mysterious Flame virus have discovered that the virus can spread by hijacking that very same system — inserting itself into the Windows Update process to spread malicious code across a network.
The revelation comes on top of the earlier news that the virus creators exploited a flaw in a Microsoft cryptography algorithm to create a counterfeit digital signature, making it seem as if the malicious code came from Microsoft.
In other words, to the computer being infected, it looks as if it’s receiving a normal update from Microsoft, through the normal update process — when, in fact, neither of those things is true.
This is called a man-in-the-middle attack, and the fact that someone has pulled it off with Windows Update is an eye-opener, to say the least. The silver lining is that it’s a narrow attack, targeting computers in Iran and other parts of the Middle East.
However, researchers are describing it as an unsettling precedent, and a potential nightmare.
“Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened,” writes F-Secure’s chief research officer, Mikko Hypponen, in a post explaining how the process works. “I guess the good news is that this wasn’t done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.”
Microsoft over the weekend released an emergency security update to block software using the bogus digital signatures — the ones that made the nasty code appear to be authorized by Microsoft — and fixed the bug that allowed the signatures to be created.
In a follow-up post yesterday acknowledging the latest revelations, Microsoft’s Security Response Center wrote that the company would be taking additional steps “to further harden Windows Update” against these kinds of attacks. The post by MSRC senior director Mike Reavey noted (emphasis added) …
The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.
Aleks Gostev of Kaspersky Lab has a detailed technical explanation here, noting that the hijacking of Windows Update spreads the Flame virus across a network by leveraging a machine that has already been compromised.
Gostev explains, “When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client.”
He says the initial infection could still be happening by exploiting “zero-day” vulnerabilities, known security holes for which patches aren’t yet available.
Gostev notes that the latest revelations confirm Kaspersky’s initial belief that Flame is “one of the most interesting and complex malicious programs we have ever seen.”