“At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.”
Our suspicion was heightened because fully patched Windows 7 machines were being infected over the network in a very suspicious manner.We can now confirm this is the main purpose of a special module of Flame called “Gadget” together with another module called “Munch”. (NOTE: It’s important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The “Gadget” module is simply used to spread within a network from a machine that is already infected with the malware). The “Gadget” and “Munch” modules implement an interesting man-in-the-middle attack against other computers in a network. When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client. The fake update claims to be the following:
“update description="Allows you to display gadgets on your desktop."
displayName="Desktop Gadget Platform" name="WindowsGadgetPlatform">
This program (also detected as Worm.Win32.Flame.a), which is 28KB in size, has been signed by a fake Microsoft certificate:
This allows it to run in the victim’s machine without any warnings. The Flame “Gadget” downloader was compiled on December 27th, 2010. It was signed on December 28 and it was finally put into the CAB archive on Jan 11, 2011.
The following is exactly how the process occurs: the infected machine sets up a fake server by the name “MSHOME-F3BE293C”, which hosts a script that serves a full body of the Flame malware to victim machines. This is done by the module called “Munch”. When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed. The fake update proceeds to download the main body and infect the computer.
The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to “Auto”.As we continue our investigation of Flame, more and more details appear which indicate our initial statement: this is one of the most interesting and complex malicious programs we have ever seen. Important information: One June 4th, 2012, Microsoft released a number of blog posts and an Update for Windows which is blocking three fraudulent certificates used by Flame. We recommend that Windows users apply this update immediately. Microsoft SRD blog:http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx Microsoft security advisory 2718704:http://technet.microsoft.com/en-us/security/advisory/2718704 MSRC blog:http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
2012 Jun 05, 05:53
How's the analysis of Bunny, Dbquery, Headache, and Driller? Those four were mentioned earlier in a list of five modules whose purpose wasn't known; Gadget was the fifth.
2012 Jun 05, 20:37
Has the screenshot of the certificate been modified in any way? The spaces in the valid from and two dates are not there in genuine certificates and also single date values are normally displayed as 02 and not just 2. Just compare the screenshot to some other certificates in the Microsoft certificate store and you will see what I mean.
Re: Screenshot modified?
I doubt it—if it's a fake certificate, perhaps the certificate's creator made a sloppy mistake here. Alternately, perhaps it's not a mistake at all, and it's an artefact of the computer's date formatting. Though, of course the screenshot has been modified at least a little: did you notice the red boxes?
Re: Re: Screenshot modified?
Yes, of course ;) That's why I wondered if the freedom was taken to edit a bit more. Anyway, it may be an artefact or small mistake during the generation of the fake certificate. That's the main reason why I was pointing it out as these small differences sometimes can be used to determine how the fake certificate was generated or what tools may have been used.
2012 Jun 06, 08:38
MD5: 1f61d280067e2564999cac20e38604 1c