The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

‘Gadget’ in the middle: Flame malware spreading vector identified

Kaspersky Lab Expert
Posted June 04, 16:54  GMT
Tags: Zero-day vulnerabilities, Certificate authorities, Flame, Cyber weapon, Cyber espionage

In our FAQ on Flame posted on May 28, 2012, we postulated there might be a still undiscovered zero-day vulnerability in Flame:

“At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.”

Our suspicion was heightened because fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

We can now confirm this is the main purpose of a special module of Flame called “Gadget” together with another module called “Munch”.

(NOTE: It’s important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The “Gadget” module is simply used to spread within a network from a machine that is already infected with the malware).

The “Gadget” and “Munch” modules implement an interesting man-in-the-middle attack against other computers in a network.

When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client.

The fake update claims to be the following:

“update description="Allows you to display gadgets on your desktop."
displayName="Desktop Gadget Platform" name="WindowsGadgetPlatform">

In the process of infecting a client, 8 CAB files are used. One of them contains a specifically built program called WuSetupV.exe:

This program (also detected as Worm.Win32.Flame.a), which is 28KB in size, has been signed by a fake Microsoft certificate:

This allows it to run in the victim’s machine without any warnings.

The Flame “Gadget” downloader was compiled on December 27th, 2010. It was signed on December 28 and it was finally put into the CAB archive on Jan 11, 2011.

The following is exactly how the process occurs: the infected machine sets up a fake server by the name “MSHOME-F3BE293C”, which hosts a script that serves a full body of the Flame malware to victim machines. This is done by the module called “Munch”.

When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed. The fake update proceeds to download the main body and infect the computer.

Gadget plugin downloads the main body of the malware

The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to “Auto”.

As we continue our investigation of Flame, more and more details appear which indicate our initial statement: this is one of the most interesting and complex malicious programs we have ever seen.

Important information: One June 4th, 2012, Microsoft released a number of blog posts and an Update for Windows which is blocking three fraudulent certificates used by Flame. We recommend that Windows users apply this update immediately.

Microsoft SRD blog:http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

Microsoft security advisory 2718704:http://technet.microsoft.com/en-us/security/advisory/2718704

MSRC blog:http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx


Oldest first
Threaded view


2012 Jun 05, 05:53

Other modules

How's the analysis of Bunny, Dbquery, Headache, and Driller? Those four were mentioned earlier in a list of five modules whose purpose wasn't known; Gadget was the fifth.



2012 Jun 05, 20:37

Screenshot modified?

Has the screenshot of the certificate been modified in any way? The spaces in the valid from and two dates are not there in genuine certificates and also single date values are normally displayed as 02 and not just 2. Just compare the screenshot to some other certificates in the Microsoft certificate store and you will see what I mean.



2012 Jun 05, 23:26

Re: Screenshot modified?

I doubt it—if it's a fake certificate, perhaps the certificate's creator made a sloppy mistake here. Alternately, perhaps it's not a mistake at all, and it's an artefact of the computer's date formatting. Though, of course the screenshot has been modified at least a little: did you notice the red boxes?



2012 Jun 06, 01:04

Re: Re: Screenshot modified?

Yes, of course ;) That's why I wondered if the freedom was taken to edit a bit more. Anyway, it may be an artefact or small mistake during the generation of the fake certificate. That's the main reason why I was pointing it out as these small differences sometimes can be used to determine how the fake certificate was generated or what tools may have been used.



2012 Jun 06, 08:38


MD5: 1f61d280067e2564999cac20e38604 1c
SHA1: d36fad73c6aeff98906008f3eb5a16 812cc3188a
File size: 29928 bytes
Name: WuSetupV.exe

If you would like to comment on this article you must first

Bookmark and Share