×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Flame Malware Hijacks Windows Update

timothy posted about 2 years ago | from the trustworthy-computing-of-course dept.

Microsoft 268

wiredmikey writes "As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how." And an anonymous reader adds a note that Flame's infrastructure is massive: "over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

268 comments

whoops (4, Insightful)

gbjbaanb (229885) | about 2 years ago | (#40222001)

and you thought Conficker was bad!

Re:whoops; ASK SLASHDOT... (2, Interesting)

mcgrew (92797) | about 2 years ago | (#40222191)

OK, my notebook that still has Windows on it (out of pure laziness) has been nagging me about a security update for a couple of days, yesterday I went ahead and updated. Should I worry?

Re:whoops; ASK SLASHDOT... (4, Funny)

The Mighty Buzzard (878441) | about 2 years ago | (#40222359)

Of course, it's running Windows.

The preceding was meant tongue-in-cheek but even having said that there'll probably still be Linux/MS fanbois who want to take it seriously and start a flamewar.

Re:whoops; ASK SLASHDOT... (3, Informative)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40222529)

If you are on a network that already features Flame, you should probably just wipe and reinstall now.

Otherwise, that security update was probably Microsoft's emergency blacklisting of the signing keys that were used to make the Flame components pass as MS-signed software...

Re:whoops; ASK SLASHDOT... (5, Funny)

Razgorov Prikazka (1699498) | about 2 years ago | (#40222571)

Well, I am not an expert on the topic but there are a few things you might want to consider before you get all overexcited on that...
First, there are hardly any infections outside the Arab-world. (my guess is that it just takes a look at the keyboard driver in use) Going by your username you're not an Arab guy.
Second, the virus seems to be activated by some kind of a human operator, and well... you are probably not important enough (read: high level nuke scientist or something)
Third, this thing is in the wild since 2010, maybe even as early as 2007, and you didnt get infected in all the updates since then (I assume), or it is to late anyway.
Fourth, you use Windows and then ask if you might catch a virus? Seriously?
Fifth, to be absolutely safe: format your HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto...

Re:whoops; ASK SLASHDOT... (-1)

Anonymous Coward | about 2 years ago | (#40222975)

I say we take off, format the HD a couple of times, get OpenBSD on it with a strong root password (at least 128 characters), get the battery out and pack the thing in a lead box with walls at least 5 inch thick, fill the rest of the box with epoxy and bury the whole thing on a depth of at least 10 feet... on Pluto.

It's the only way to be sure.

Re:whoops; ASK SLASHDOT... (1)

paladinsama (1831732) | about 2 years ago | (#40223295)

If you read the summary of the article, you can deduce that a computer on your own subnet needs to be already infected before your machine can be infected.

Re:whoops (0)

GPLHost-Thomas (1330431) | about 2 years ago | (#40222419)

Well, it's not Conficker or Flame that is bad here... I had very low trust in windows, now it's down to an absolute zero. How can it be THAT bad, seriously? How can people accept to use such a toy OS?

Re:whoops (0, Insightful)

Anonymous Coward | about 2 years ago | (#40222581)

Because Linux is better? Unhackable? imperviable?

Obvious mechanisms exist to secure any OS. How is this targeted attack vector any better/worse than any other targeted attacked vector that would be pointed at *insert your favorite OS of choice*?

If you can't trust Windows, how can you - with a straight face - say you can trust Linux, Mac, Android, BB, etc? Unless you personally verify - and understand - every line of code in your OS - which I KNOW you don't do - how can you say your choice of OS is any better?

Re:whoops (3, Informative)

sjames (1099) | about 2 years ago | (#40223075)

So your claim is that because no safe is absolutely unbreakable, you should just put your money out on the curb in a pile and call it good?

If Windows is a piggy bank, Linux is at least a lockbox. Neither is invulnerable, but one is clearly more secure than the other.

As for why, MS managed to lose control of (or whore out) the one true cert that all Windows installations are dependent on. In spite of that being public knowledge they haven't revoked it.

So there you have it, Windows is a piggy bank guarded by a crack ho :-)

Re:whoops (1)

Anonymous Coward | about 2 years ago | (#40223389)

you forgot in this analogy the windows piggy bank is also loaded with cash whereas the linux lockbox has a few small bills in it that nobody would miss either way.

Re:whoops (1)

Endovior (2450520) | about 2 years ago | (#40223543)

Exactly. Nobody writes viruses for Linux because, demographically speaking, nobody uses it. Same reason why viruses for Macs are starting to appear... more users means more targets. Linux isn't much more secure then Windows, really; it's just that not enough people use it to make attacking it worthwhile. That said, security through obscurity remains a form of security nonetheless. If you're prepared to deal with the downsides associated with using unpopular software, you get the incidental bonus that your system is too unpopular for viruses, as well.

Re:whoops (2)

sjames (1099) | about 2 years ago | (#40223829)

I'm guessing there are a lot more high value Linux servers out there than Windows.

The difference is the payoff. A successful attack on a Linux box will likely be detected and dealt with promptly while there is a metric assload of Windows boxes still infected with conficker.

Re:whoops (0)

Anonymous Coward | about 2 years ago | (#40223235)

Did you even bother reading the article? Of course not, you're probably illiterate.

a) The number of infected computers is down to 400, mostly in Middle East countries. If you're worried that you're one - when there's over 1 billion Windows installs, then you should go buy a lottery ticket.

b) The Flame attack used a cryptographic collision attack on a certificate, which means that any company could be attacked by it if they had a similar product line.

Do I trust OSes in general? Not really; software always can be compromised. Windows isn't any different then any other software at this point.

Re:whoops (5, Interesting)

devjoe (88696) | about 2 years ago | (#40223637)

Parent post points out what I thought was the most interesting part of the article, that a cryptographic collision attack was used to generate the fake certificate. We've seen multiple [slashdot.org] articles [slashdot.org] here about researchers using cryptographic collision attacks against certain ciphers, but, aside from the story about GnuPG short IDs that were only 32 bit hashes, [slashdot.org] this is the first time I can recall hearing that one was used in the wild against a real security system. Now maybe people will pay attention to what those researchers were saying...

Agreed (0)

Anonymous Coward | about 2 years ago | (#40222931)

Thinking more of it, conficker could have been just a decoy doing pretty much anything but spreading sporadically keeping researchers busy looking elsewhere to shelter the real mccoy Flame.

Pretty neat stunt really. Propably not too many would have thought of it.

Re:whoops (1)

hemo_jr (1122113) | about 2 years ago | (#40223457)

Whoever wrote Flame got legit certs from MS somehow. So it seems a bit hypocritical of MS to acting so innocent and violated at this point.

While they're at it (5, Interesting)

slashmydots (2189826) | about 2 years ago | (#40222003)

The security surrounding Windows Update is rather pathetic, certificate or no certificate. It's cost me many, many extra hours and headaches, while they're "hardening up" windows update, they should also make a vastly improved repair utility for it. I hate spending all that time removing a virus from a customer computer just to find out at the end that Windows Update is irreparably broken and SFC, their own fixit tool, 3rd party mass re-registration tools, and registry utilities all cannot fix it so I have to reinstall. Considering that an OS install is classified as "totaled" if Windows Update no longer works, maybe they should protect it better AND make a flawless, end-to-end reinstaller that resets it to absolute default settings and fully repairs it.

Re:While they're at it (0)

Anonymous Coward | about 2 years ago | (#40222059)

... and a pony.

links (1)

Anonymous Coward | about 2 years ago | (#40222089)

http://support.microsoft.com/kb/971058

http://support.microsoft.com/kb/943144

Re:While they're at it (4, Informative)

slaker (53818) | about 2 years ago | (#40222135)

I get a lot of mileage out of Windows Repair Portable [majorgeeks.com]. It restores settings for a large number of issues that don't have a regular, non-painful reset/repair/reinstall option. I've found it particularly handy for fixing the Windows Firewall and Windows updates.

I'd prefer to do a reinstall under almost all circumstances of malware infection, but that's not always an option available for home or small business systems. I particularly dislike having to rely on Windows System Restore. I really wish modern versions of Windows had a painless repair install that would allow end users to keep programs and settings.

Re:While they're at it (0)

Anonymous Coward | about 2 years ago | (#40222429)

I agree with your point that it should be a viable option if we choose to use it. But I can think of very, very few situations where it would be acceptable to not do a complete reinstall anyway if the system were that infested with a virus.

Re:While they're at it (1)

slaker (53818) | about 2 years ago | (#40222587)

I've actually lost clients from advocating reinstall as a standard procedure after infection. The usual claim is that it's an excuse for me to pad a bill. I know a repaired system is substantially more vulnerable than a known-clean new install is, and I can make a good case for that with my customers, but that doesn't mean they all go along with it and at some point I decided that it's not really a battle that's worth fighting.

Sell them system images (4, Informative)

zerofoo (262795) | about 2 years ago | (#40222679)

You may want to build system images of important machines and just "re-image" after a virus infection. I do that with the few Windows machines we have here.

Clonezilla is fantastic for this. It's free and it make simple images that can be stored on any file share. It doesn't yet image to drives smaller than the original source machine, but I'm confident they will add that in the future. For now, I image to drives equal in size or larger.

Sure Acronis, Ghost and the like work as well, but it's hard to argue with free.

-ted

Re:Sell them system images (1)

slaker (53818) | about 2 years ago | (#40223057)

I do that for small business machines. I know all about Sysprep and .wim files. Believe me. I also leverage the fact that there are free versions of TrueImage available for anyone whose machine includes a WD, Maxtor or Seagate hard disk. That doesn't help much to address home machines or personal laptops.

One thing in particular that I've found to be problematic in relation to getting Windows reinstalled is fear of losing purchased itunes content. If I had to guess, that's a bigger issue than absolutely anything else I've run in to.

Re:Sell them system images (2)

lgw (121541) | about 2 years ago | (#40223719)

That's very old school. Anything important should be a VM these days - not only is snapshotting, cloning (if needed), and reverting trivial with any of the major virtualization products, but most of them also give you a way to access the guest filesystem from the host, which allows for far easier viruse removal (a rootkit on the guest is no impediment to the host).

Re:While they're at it (5, Informative)

Anonymous Coward | about 2 years ago | (#40222769)

Who repairs a windows install? Really, it's not worth anybody's time. If you're qualified enough to remove a modern rootkit with any real guarantee of future security, then the value of your time spent removing said infection is more than the total cost of a new PC. Not even remotely kidding.

Installing windows while recovering user data is fast and easy. Modern rootkits are too good. The only reasonable course of action when you have an infection is wipe and install. - Make sure you clean the boot sector! (It's not a bad idea linux boot cd/usb flash drive and dd zeros over the first few megabytes of the drive. This will wipe out the boot sector, partition table/disk label/whatever, and any other places low level nasties generally reside. Plus, your OS installer will see a nice fresh unused drive and will feel free to lay down new partitions as it sees fit, and will not be tempted to do anything stupid like attempt a repair or upgrade)

Re:While they're at it (0)

Anonymous Coward | about 2 years ago | (#40222989)

If you can't fix borked Windows Update post-malware in 15 minutes or less, you utterly fail as a desktop tech. Reinstall? Maybe just to be sure that you're rid of said malware, but if you're confident that the system is clean it's not that complicated. A few dlls to register, a couple of regkeys to verify. Oh noes.

Along with the KB links below me, add this to your arsenal. Easy peasy.

http://windowsxp.mvps.org/aupolicy.htm

Let the flamewars begin! (-1, Offtopic)

gislifb (1979154) | about 2 years ago | (#40222033)

It's no coincidence that the new M$-UI is called Metro! Why didn't they just call it "InTheCloset"?

Windows? Impervious? (4, Insightful)

dragisha (788) | about 2 years ago | (#40222071)

Funny thing to say about any version of Windows.

Question remains: how comes those people are so dumb? Being at de-facto cyberwar with a country, and still use closed source program originating from it?

Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?

Re:Windows? Impervious? (2)

ZeroSumHappiness (1710320) | about 2 years ago | (#40222445)

Nuclear research is easy. Good software design is hard.

(This statement meant to be both more and less tongue-in-cheek than you expect.)

Re:Windows? Impervious? (1)

geekoid (135745) | about 2 years ago | (#40222531)

"Good software design is hard."
Not really. It's just more costly.
We know how to build good software design.

Re:Windows? Impervious? (0)

Anonymous Coward | about 2 years ago | (#40223571)

Not really. We know a lot of tricks and techniques. Many heuristics. But good design from a security standpoint, where there are no holes in that design (let alone the code)? While still preserving a decent amount of functionality? That's still pretty hard.

Re:Windows? Impervious? (0)

Anonymous Coward | about 2 years ago | (#40223721)

"Not really. It's just more costly.
We know how to build good software design."

We just don't wanna pay for it.

Re:Windows? Impervious? (1)

lgw (121541) | about 2 years ago | (#40223817)

We know how to build good software design.

For example? SE Linux is pretty good, but it's quite hard to configure, and without a good per-application config it loses its advantage.

There are security products for Windows which achieve the same thing as SE Linux, BTW, but those too are all about the configuration. It's not that the Windows kernel is insecure, it's that people tend to run consumer software on their Windows install (and there's still too much crap "on" by default: Win2008-r2 made a large stride in the right direction there, but it still has a ways to go).

Re:Windows? Impervious? (2)

geekoid (135745) | about 2 years ago | (#40222521)

This is what happen when a country 'buys' into a technology. None of the infrastructure is there,.

Re:Windows? Impervious? (1)

couchslug (175151) | about 2 years ago | (#40222945)

Because to many people, "Windows is the computer".

Also, there are plenty of "dumb" Americans using the same OS for the same reason.

"Another one: Be rich and smart enough to have a nuclear research, but not smart enough to roll its own IT infrastructure base on code they can audit?"

Uh oh......

Re:Windows? Impervious? (1)

Razgorov Prikazka (1699498) | about 2 years ago | (#40223207)

<quote><p>Because to many people, "Windows is the computer".</p>
Yup, and "google /is/ the internet". Or at least that is what twelve-o-clock-flashers think.

Looks good for Windows 8 sales (1, Interesting)

sideslash (1865434) | about 2 years ago | (#40222079)

A lot of people are predicting poor sales for Win8 because they dislike Metro; but there is probably going to be more visibility of the new "reset" capabilities of Windows 8, now that malware authors have raised their game to a new level.

Re:Looks good for Windows 8 sales (5, Insightful)

gQuigs (913879) | about 2 years ago | (#40222173)

Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key, stay undetected in the wild for at least 2+ years.

But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore...

Re:Looks good for Windows 8 sales (4, Informative)

Mashiki (184564) | about 2 years ago | (#40222749)

Indeed certificate revocations went out on the 3rd.
http://support.microsoft.com/kb/2718704 [microsoft.com]

And as you've said, system restore 2.0 won't stop them. And malware survive? It gets worse than that, some of the more vicious ones inject themselves right into the SR backup, and edit the backed up hive. Unless you can remove it fully, you're kinda shot. Which can also mean disabling SR.

Re:Looks good for Windows 8 sales (1)

hobarrera (2008506) | about 2 years ago | (#40222777)

Even if it does, a single infected machine on the network will intercept the next windows update request, and re-infect your recently reset machine.

There's no way you can work around it, except by not-having any other windows-computers in the network.

Re:Looks good for Windows 8 sales (1)

sideslash (1865434) | about 2 years ago | (#40223147)

Your average piece of malware can survive a system restore...

I think you use the word "average" differently than I do.

Re:Looks good for Windows 8 sales (1)

NoNonAlphaCharsHere (2201864) | about 2 years ago | (#40222225)

The malware authors are ALWAYS going to "raise their game to a new level" - it's an arms race, plain and simple. What's at issue is that one side doesn't fucking care that they're in one, and their responses are always reactive/responsive and half-assed.

Re:Looks good for Windows 8 sales (3, Insightful)

cowboy76Spain (815442) | about 2 years ago | (#40222515)

To be fair, a malware writter could not care less if their software breaks 10-20% of the PCs it attempts to hijack.

Make MS brick 5% and the cost to them could be astronomical.

So, it is not simmetric warfare.

Re:Looks good for Windows 8 sales (0)

Anonymous Coward | about 2 years ago | (#40223325)

"The number of still infected computers has shrank since the discovery of the malware, and now reaches barely above 400"

That's like... 0.00000001% of MS's marketshare. I don't think they're worried about it.

Re:Looks good for Windows 8 sales (2)

sideslash (1865434) | about 2 years ago | (#40223111)

What's at issue is that one side doesn't fucking care that they're in one, and their responses are always reactive/responsive and half-assed.

What does Apple have to do with this story?

TFA says Win 7 64 bit not vulnerable? (5, Interesting)

Megor1 (621918) | about 2 years ago | (#40222153)

Anyone know what this is about it's in the last paragraph "It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware." Is that due to driver signing requirements?

Re:TFA says Win 7 64 bit not vulnerable? (5, Informative)

Anonymous Coward | about 2 years ago | (#40222251)

Anyone know what this is about it's in the last paragraph
"It's interesting to mention that these machines mostly run Windows XP and Windows 7 32 bit, but none of them run Windows 7 64 bit, which seems impervious against this and most other malware."

Is that due to driver signing requirements?

"Hardware-based DEP (Data Execution Protection), for example, is turned on for all 64-bit processes. Kernel Patch Protection (a.k.a. PatchGuard) protects access to internal operating system data structures. And device drivers must be digitally signed with a certificate issued by a trusted certificate authority. Finally, none of the large body of malware written as 32-bit drivers or any 16-bit code will run at all on 64-bit Windows."

http://securitywatch.pcmag.com/malware/284281-is-64-bit-windows-safer-than-32-bit

Re:TFA says Win 7 64 bit not vulnerable? (1)

hobarrera (2008506) | about 2 years ago | (#40222799)

They already have the code to sign their drivers though, just like they're signing everything else.

Re:TFA says Win 7 64 bit not vulnerable? (1)

gl4ss (559668) | about 2 years ago | (#40222381)

it might be that it's just not a target, fragmentation ftw i suppose.

but it beats me why it wouldn't be vulnurable to the windows update with rogue cert hijack though, nothing about dep or driver signing should affect that attack vector..

Re:TFA says Win 7 64 bit not vulnerable? (1)

JoshuaZ (1134087) | about 2 years ago | (#40222453)

They may have limited their attacks so that they only used attacks on systems where they could get most of their attacks to work. If one wanted the system to stay unnoticed for as long as possible, it makes sense to only target the systems that you have a really good understanding of.

Driver signing is about DRM, not security (5, Informative)

Myria (562655) | about 2 years ago | (#40222487)

Is that due to driver signing requirements?

Driver signing doesn't mean squat for security. Third-party drivers with security holes and back doors are a dime a dozen, and there are even some in Microsoft drivers, of course. I have a publicly-available CPU diagnostic utility that comes with a signed 64-bit driver that allows user mode to write to any desired MSR. That easily leads to executing arbitrary code execution, most easily by changing the syscall vector. Malware that acquires administrator privileges can just install some company's vulnerable driver.

Driver signing is really about DRM. Hollywood was strongly concerned about fake video card and sound card drivers being used to dump unencrypted content from protected sources. The proof of my statement is what happens when you boot the Vista/7/8 kernel in debug or test signing mode: everything works except Blu-Ray movies and other DRM content.

As Microsoft continues its effort to keep its user (1)

Anonymous Coward | about 2 years ago | (#40222195)

Way to spin it guys. Unsecured with plans in the future to do something about it. And its using their own certificate mechanism. I don't hold much hope in their ability to fix anything.

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40222277)

There's still one left?

captcha: miseries

Re:As Microsoft continues its effort to keep its u (5, Funny)

NoNonAlphaCharsHere (2201864) | about 2 years ago | (#40222317)

I don't think you're being fair. Microsoft has fixed more security holes than all the other software companies on the planet combined. And I have every faith that they will continue to fix thousands and thousands of security holes every year for a long, long time to come.

Re:As Microsoft continues its effort to keep its u (1)

j00r0m4nc3r (959816) | about 2 years ago | (#40222377)

I'm not sure it works like that. It would be like me building a table with two legs and then getting kudos for adding two more legs a year later...

Re:As Microsoft continues its effort to keep its u (2)

NoNonAlphaCharsHere (2201864) | about 2 years ago | (#40222441)

Damn. I knew I should have used a "/sarcasm" tag.

Re:As Microsoft continues its effort to keep its u (1)

ColdWetDog (752185) | about 2 years ago | (#40222621)

Wouldn't help. Slashcode doesn't support it.

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40222857)

Wouldn't help. Slashcode doesn't support it.

</sarcasm>

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40222463)

Woooosh.

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40222667)

Thank you. I wonder many heads your irony will fly over.

Re:As Microsoft continues its effort to keep its u (1)

hobarrera (2008506) | about 2 years ago | (#40222817)

To fix a security hole, you have to release software with those holes first. Maybe all the rest can't compete, because they can't add up so many huge security holes.

Whoooosh! (0)

Anonymous Coward | about 2 years ago | (#40223573)

Is it a bird?

Is it a plane?

NO! It's Captain Obvious! He can leap to self-evident conclusions in a single bound!

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40223579)

Thanks for the belly laugh, I needed that. Having a shitty day today.

Re:As Microsoft continues its effort to keep its u (0)

Anonymous Coward | about 2 years ago | (#40223391)

"The number of still infected computers has shrank since the discovery of the malware, and now reaches barely above 400"

I think they're doing a fine job of fixing whatever the issue was.

Known fix for this problem... (0)

Anonymous Coward | about 2 years ago | (#40222247)

Geez. How to fix this problem in updaters was known and discussed years ago: https://www.eecs.berkeley.edu/~jsamuel/papers/survivable-key-compromise-ccs2010.pdf

I guess it takes an issue like this for them to get off of their butts and do something...

Re:Known fix for this problem... (1)

Anonymous Coward | about 2 years ago | (#40222471)

Captain Hindsight? Is that you?

Re:Known fix for this problem... (3, Informative)

green1 (322787) | about 2 years ago | (#40222893)

Hindsight is when something is obvious in retrospect. a paper published before the infection is not hindsight, but foresight.

That said, I love how clicking on the link to a paper about a security vulnerability leads to my browser giving a security certificate warning....

LOL (0)

Anonymous Coward | about 2 years ago | (#40222307)

And everyone is trying to spin this as american/israel made ect as some sort of political talking point.

And it's getting more and more obvious. This wasnt a goverment tool. This was the work of very smart crackers with a very large plan.

Verify from many addresses (0)

sammeli42 (2646203) | about 2 years ago | (#40222383)

As long as you can get data from certain ip address/url you could download the update from 10 different addresses and then you could send it back to microsoft server (which verifies that it is authentic) and have your smart phone sent verification of safety of update and then your smart phone sends the OK to computer and then it updates. Or you could download the update to 100000 computers and then use beer-to-beer (joke) verifactionada and if enough verify the autheticity then perhaps accept it. You can say thank you MickeyMouseSoft if the idea posted above worked.

Wait until someone does the same with UEFI (0)

Anonymous Coward | about 2 years ago | (#40222455)

Wait until someone is able to revoke, overwrite, or otherwise mangle the keys used by UEFI. I will be laughing my ass off on the day no Windows machine will boot up because of some type of malware or virus that mangled the keys used by UEFI. Sadly, Fedora will probably get burned as well when this happens since they are opting to use MS to create the keys.

Re:Wait until someone does the same with UEFI (5, Insightful)

green1 (322787) | about 2 years ago | (#40223003)

That's just not the way malware works any more.
Early viruses were great, they did something obvious like put dialog boxes on your screen, ask for cookies, wipe your hard drive, or other obvious malicious behaviour. This was a good thing because it meant that they would never really spread that far because once infected, people knew they were infected, and the infection caused enough trouble to be worth fixing.
Modern malware is a completely different beast, the goal of modern malware is to be unnoticed by the end user so as to live as long as possible in the machine, and spread to as many others as possible. usually with the goal of leeching bandwidth from these machines for use in various botnets. As such, malware that causes your machine not to boot would defeat the purpose of modern malware. a machine that isn't booted up will not join a botnet, and will not spread to other machines.

What is more likely is that the virus writers will intercept the keys used by UEFI, manage to sign their own bootloader, and still run windows in a way that the average end user can't tell the difference. this will make the virus almost impossible to remove as it will then have more access to the system than even the operating system itself does. On the bright side, once the UEFI keys are in the wild, the various free operating systems can use those same keys to sign their own bootloaders allowing people to run non-windows software in a signed way on windows only hardware (call it jailbroken...)

So should I... (2)

frostfreek (647009) | about 2 years ago | (#40222467)

disable NetBIOS ?
I don't think I'm using it for anything... even my printer is set up with an IP address.

Re:So should I... (5, Informative)

green1 (322787) | about 2 years ago | (#40223041)

The answer to that has been a resounding yes ever since NetBIOS was introduced. It was always a windows only way of doing things that already had other non-proprietary standard ways of being accomplished. It has also been a vector for various malware over the years.

_This_ _is_ why Microsoft (0)

Anonymous Coward | about 2 years ago | (#40222507)

_This_ _is_ why Microsoft Security is a joke. We've know for 10 years that the update food chain was a primary target for malware people and we've know for 2 years that CA don't provide any security. They have had 2-10 years to harden this, just a little, and guess what, no dice. Further, dns has already been hardened, but, they introduce a hole by which to drive a mac trunk through. Peer to peer share the dns info, Apple does; just be sure to share the fully authentication information and _check_ it on the client side. When the authentication fails, drop the data, as is required.

Microsoft, you have been owned.

I want to update my machine, but, I want to hand verify a signature on an .exe from Microsoft, then run it, then be confident that it patches all the holes exploited for this malware to work. Luckily, most people don't have to worry about this malware, as they have automatic updates turned on, and they've already updated. Either they are already infected, or, there is a slim chance they might remain uninfected.

Was it a name resolution hijack or a proxy hijack? (1)

toejam13 (958243) | about 2 years ago | (#40222589)

According to the article, they say that infected machines will respond to NetBIOS name queries for Windows Update servers. That strikes me as odd. Don't you have to enable NetBIOS for DNS resolution in the Windows NT series? And aren't traditional BIND name servers a higher protocol bind order by default?

I thought I had read elsewhere that the problem was actually due to the insecurity of having "Automatically detect [proxy] settings" enabled for IE. When Windows Update fires off, it checks for the default proxy server on the subnet and an infected machine responds. If that's true, then we either need to move to a model where auto-discovery of proxy servers is disabled by default or that clients won't trust proxy servers without it having a trusted cert issued by a local authority.

I don't understand (1)

DarkOx (621550) | about 2 years ago | (#40222641)

Why is Windows Update using netbios? I thought the A record DNS results for update.microsoft.com and related were hard coded in the OS to prevent these sort of spoofing attacks.

Is this something with the WSUS based updating procedure?

Cyberthings (1)

fa2k (881632) | about 2 years ago | (#40222669)

So if these things are government "cyberweapons", they are something like a cyber-landmines, with huge collateral damage. This will not go on for long.

Certificate was revoked by an emergency patch (5, Informative)

VGPowerlord (621254) | about 2 years ago | (#40222765)

I saw an article about this already on Ars Technica. However, Ars included one detail that the Slashdot and Security Week stories don't:
Microsoft issued an emergency update [technet.com] Sunday that updated the Windows Certificate Revocation List specifically to expire the certificate used by this exploit.

Thank GOD! (0)

Anonymous Coward | about 2 years ago | (#40222823)

Finally, the source of that damn WGA update has been discovered and will be delt with...
This has been a blight in the untarnished reputation the MS has held dear with their users!

CAPTCHA = validate

Did anyone NOT see this coming? (3, Insightful)

dave562 (969951) | about 2 years ago | (#40222925)

When Windows Update was introduced, the first thought to go through my mind was, "I wonder how long until someone compromises this and uses it to push out malware." It took a lot longer than I thought.

Its really funny... (0)

Anonymous Coward | about 2 years ago | (#40223019)

All the people who say "if you run windows you will get a virus" make me laugh. I have run windows OS's for 15 years and have only been infected by one virus, and that was my fault. Judgement day is coming for you Unix/linux users. It has already started for Mac users. Its just a matter of time for you. So keep believing your all safe and secure....

always was a little parinoid about "auto updating" (1)

Bigsquid.1776 (2554998) | about 2 years ago | (#40223323)

I always have a fiber of suspicion when I update software from the Internet. Noob question: What precautions do the big distros like Fedora take to prevent "man in the middle" attacks for package updates? I ran the update tool on my new clean Fedora 17 install and there were a bzillion updates.

Re:always was a little parinoid about "auto updati (1)

dremspider (562073) | about 2 years ago | (#40223709)

All packages are signed by Fedora or whoever the distro is, unless you turn off the gpgcheck feature then it won't install the package if it hasn't been signed. The gotcha is that if you can steal Fedoras gpg key or somehow create a collision attack, they are also screwed as well so they have the same issue.

Hang on (1)

Dunbal (464142) | about 2 years ago | (#40223327)

If this malware is part of a cyberwarfare effort by the US against Iran + Co, then isn't Microsoft - a US company - borderline committing treason by offering to patch the security hole?

Re:Hang on (1)

cyberchondriac (456626) | about 2 years ago | (#40223707)

Not to wear the tinfoil hat, but I wouldn't be absolutely shocked if MS was actually in on part of the thing. They've been accused of creating backdoors for the NSA and such, historically. So, they could conceivably issue their "fix" while working with "gub'mnt" for a different tactic or workaround.

fml (1)

Anonymous Coward | about 2 years ago | (#40223705)

Funny how when these problems arise, the government is especially silent...

But when there is someone infringing on COPYRIGHT the guns come out and they will issue international manhunts to bring the perpetrators down (even if only suspected). When there is a virus doing REAL WORLD DAMAGE, that's no biggie.

Who Paid for the C&C Servers? (3, Interesting)

utkonos (2104836) | about 2 years ago | (#40223865)

The US government has admitted to authorizing stuxnet. Now it looks like Flame is probably also a government authorized weapon.

My question is where did the money for the C&C servers come from? Those C&C domains were paid for with stolen credit cards and stolen identities. The same thing was used to purchase the VPSs used as the C&C servers. Why isn't there an outcry because the US government stole the identities and credit card numbers of private individuals to make these botnets? Where did they get these stolen identities? Did they use criminal means and buy them on the black market from other botherders? Did they just open their own files and roll the dice choosing people at random?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...