Comments on: An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

mek — Fri, 08 Jun 2012 11:13:00 -0800

"Flame" is the name of a newly-identified malware program which utilizes a previously unknown MD5 collision attack to successfully spoof Microsoft Terminal Services, and install itself as a trusted program using Windows Update, Microsoft has confirmed. The program appears to have targeted computers in the Middle East, and specifically Iran; analysts have alleged it is likely created by the same entity that designed Stuxnet. Flame has been live and actively spying since 2010, but went undetected until recently, due to sophisticated anti-detection measures.

While anonymous US officials have claimed responsibility for the program, officially both the USA and Israel have denied any involvement.

By: Bathtub Bobsled

Bathtub Bobsled — Fri, 08 Jun 2012 11:19:16 -0800

What's the likelihood the entity that created this had direct consultation with some salaried folks in Redmond, Washington? P.S. "Flame" is one letter above lame. Next time you guys are naming these things, PM me and I'll come up with some awesome names... if Weedlord Bonerhitler isn't already in use...

By: The Lamplighter

The Lamplighter — Fri, 08 Jun 2012 11:21:06 -0800

If they had Microsoft's help I don't think they would need to use an unknown MD5 collision.

By: Bathtub Bobsled

Bathtub Bobsled — Fri, 08 Jun 2012 11:23:35 -0800

Actually, that's a very good point Lamplighter. Disregard.

By: mullingitover

mullingitover — Fri, 08 Jun 2012 11:27:13 -0800

A collision attack!? Who could've seen that one coming?

By: Ad hominem

Ad hominem — Fri, 08 Jun 2012 11:29:58 -0800

I've been following this the past couple days and I've been particularly interested in how they used the terminal services cert to sign bogus updates. From what I hear, signing bogus updates with a terminal services cert just worked in for older versions of windows but newer versions had additional checks in place. The MD5 collision attack was used to bypass the checks in newer versions. An additional wrinkle is that Flame has started uninstalling itself after a command was sent out by whoever created it. It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous.

By: mr_roboto

mr_roboto — Fri, 08 Jun 2012 11:31:18 -0800

I cannot wait for the blowback from this one. The best consequences are always the unintended ones!

By: aspo

aspo — Fri, 08 Jun 2012 11:31:59 -0800

It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous. That's the downside of working for the NSA...

By: rh

rh — Fri, 08 Jun 2012 11:35:53 -0800

That's the downside of working for the NSA... The upside? Hawaii and rainbows!

By: mmrtnt

mmrtnt — Fri, 08 Jun 2012 11:38:36 -0800

The best consequences are always the unintended ones! Because the US government and Microsoft can work hand-in-hand to backdoor "enemies", it won't be long before all the bad guys just use Linux instead. Unintended Consequence: Anyone using Linux is possibly a terrorist. Also, this seems appropriate.

By: Talez

Talez — Fri, 08 Jun 2012 11:41:49 -0800

A collision attack!? Who could've seen that one coming?

From the link: Do not use the MD5 algorithm Do not use the MD5 algorithm Do not use the MD5 algorithm Do not use the MD5 algorithm Do not use the MD5 algorithm Do not use the MD5 algorithm

By: Ad hominem

Ad hominem — Fri, 08 Jun 2012 11:42:44 -0800

I don't think Microsoft worked hand-in-hand on this. Windows update is now completely untrustworthy for millions of machines.

By: pwnguin

pwnguin — Fri, 08 Jun 2012 11:44:58 -0800

mmrtnt: "Unintended Consequence: Anyone using Linux is possibly a terrorist." More like "Unintended Consequence: Linux is found to be just as buggy and insecure as Windows".

By: BrashTech

BrashTech — Fri, 08 Jun 2012 12:00:15 -0800

I, for one, welcome the made-for-TV movie about a team of top-secret virus-writing hacker-spies and their thrilling and sexy adventures. Within 3 years. Mark my words. 'Cause this stuff is gold.

By: charred husk

charred husk — Fri, 08 Jun 2012 12:02:34 -0800

Ad hominem:
"It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous."

Why publish any more when you can make a bunch of money? BTW, that article really worries me.

By: JHarris

JHarris — Fri, 08 Jun 2012 12:03:08 -0800

It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous. Try infuriating. This is basically math kept secret for reasons of national security. More like "Unintended Consequence: Linux is found to be just as buggy and insecure as Windows". Yeah they all the same amirite

By: Ad hominem

Ad hominem — Fri, 08 Jun 2012 12:21:54 -0800

Really it isn't an issue if Linux or OS X or Openbsd is more secure if your attacker is a federal agency with a near unlimited budget and also full of good will hunting type super-geniuses. They probably have 0-day exploits ready to go for every OS ever written the same way the DOD just had two hubbles laying around taking up space.

By: Stonestock Relentless

Stonestock Relentless — Fri, 08 Jun 2012 12:21:59 -0800

If the authors of Flame had received help from microsoft, it would never have installed properly.

By: sparkletone

sparkletone — Fri, 08 Jun 2012 12:25:25 -0800

Flame is apparently in the process of self-destructing.

By: Flunkie

Flunkie — Fri, 08 Jun 2012 12:28:52 -0800

If the authors of Flame had received help from microsoft, it would never have installed properly.

It looks like you're trying to subvert a nation state! Would you like help? o Get help with subverting the nation state o Just subvert the nation state without help □ Don't show me this tip again

By: gilrain

gilrain — Fri, 08 Jun 2012 12:35:33 -0800

Stonestock Relentless: If the authors of Flame had received help from microsoft, it would never have installed properly. Oh, snap! I'm surprised you restrained yourself from using a dollar sign for the S. Oh, well played indeed.

By: CBrachyrhynchos

CBrachyrhynchos — Fri, 08 Jun 2012 12:36:47 -0800

Bad news: We probably don't live in a Star Trek future. Worse news: We definitely live in a William Gibson future.

By: -harlequin-

-harlequin- — Fri, 08 Jun 2012 12:38:41 -0800

a federal agency with a near unlimited budget and also full of good will hunting type super-geniuses. I'd suggest that the federal agency enjoys one of those two things.

By: cjorgensen

cjorgensen — Fri, 08 Jun 2012 12:50:39 -0800

It is kind of awe inspiring to think whoever created it used an entirely new collision attack for malware instead of say publishing it and becoming famous. Unlike all the other household names that published previously.

By: k5.user

k5.user — Fri, 08 Jun 2012 12:54:33 -0800

cjorgensen, where's your Free Kevin! t-shirt ?

By: quonsar II: smock fishpants and the temple of foon

quonsar II: smock fishpants and the temple of foon — Fri, 08 Jun 2012 13:01:51 -0800

Oh, snap! I'm surprised you restrained yourself from using a dollar sign for the S. Oh, well played indeed. posted by gilrain at 3:35 PM on June 8 ignorance is bli$$.

By: nTeleKy

nTeleKy — Fri, 08 Jun 2012 13:07:37 -0800

Do not use the MD5 algorithm Just wanted to add that wikipedia mentions SHA-2 as a currently acceptable alternative. I was interested in finding out more about the command and control servers and found this excellent analysis. It's from an analyst at Kaspersky and details the process by which they identified the servers, talks about the malware and compares it to duqu. Summary and conclusions: *The Flame command-and-control infrastructure, which had been operating for years, went offline immediately after our disclosure of the malware's existence last week. *We identified about 80 total domains which appear to belong to the Flame C&C infrastructure. *The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008. *The attackers seem to have a high interest in PDF documents, Office and AutoCad drawings. *The data uploaded to the C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression. *Flame is using SSH connections (in addition to SSL) to exfiltrate data. The SSH connection is established by a fully integrated Putty-based library. *Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame

By: Slothrup

Slothrup — Fri, 08 Jun 2012 13:30:00 -0800

There are a lot of operating systems and applications that auto-update themselves these days. Each individual update mechanism is basically an attack vector, and every public access point is an opportunity for man-in-the-middle attacks.

By: maiamaia

maiamaia — Fri, 08 Jun 2012 13:47:29 -0800

I doubt Microsoft would have wanted to do this, or that Siemens would have wanted to co-operate on Stuxnet, but whilst these multinationals have more money than lots of economies, the USA isn't one of those...plus they might want to sell stuff there...

By: Postroad

Postroad — Fri, 08 Jun 2012 14:05:07 -0800

A problem with the new chyber warfare, is that can unleash weapons that become uncontrolled

By: -harlequin-

-harlequin- — Fri, 08 Jun 2012 14:09:16 -0800

It was probably done with Microsoft's help, but not collaboration. Eg, when the agency asks for documentation, or to talk to an engineer, they usually get it, but they don't reveal what they're doing with that information. Oh hey, we're using it to trash your product! Sucks to be you!

By: Mental Wimp

Mental Wimp — Fri, 08 Jun 2012 14:18:10 -0800

Flame is apparently in the process of self-destructing. Pretty much spook SOP, eh?

By: phearlez

phearlez — Fri, 08 Jun 2012 14:20:18 -0800

A problem with the new chyber warfare, is that can unleash weapons that become uncontrolled Is that really so unlike all other warfare?

By: stbalbach

stbalbach — Fri, 08 Jun 2012 14:21:27 -0800

.."the most powerful weapon today in cyber space is still the propaganda, the chance to use the Internet to spread your message" This (from Postroad's link). Not to Godwin, but Hitler's success was because he used new technology, radio, film, loud speakers and other forms of modern propaganda, to spread his message. Note the Arab Spring. The "flash mob" is more than a curiosity, the ability to instantly organize many people for a single purpose is like a DOS attack, except with live people as the packets. That's power. Look at what Anonymous has done, hacking to be sure, but it's organized around a single short term goal. There's all sorts of potential for this kind of thing to take off in the near future. The quiet violence of the computer can easily become the violence in the street.

By: MattMangels

MattMangels — Fri, 08 Jun 2012 14:26:18 -0800

Can someone page flapjax at midnite and tell him that we need him in this thread to produce a parody of David Bowie's "Fame" called "Flame"?

By: bafflegab

bafflegab — Fri, 08 Jun 2012 14:28:49 -0800

If they had Microsoft's help I don't think they would need to use an unknown MD5 collision. If an entity wanted to maintain plausible deniability of its collusion with Microsoft, I would think it would naturally tend to move away from exploiting flaws in Microsoft's core proprietary codebase -- that would draw attention to the possibility of that collusion -- and instead look for flaws in the more mundane components, like hashes, etc.

By: Ad hominem

Ad hominem — Fri, 08 Jun 2012 14:50:54 -0800

Well there was the infamous NSAKEY in previous versions of Windows. I think it first appeared in an NT 4 service pack. No doubt the NSA has the source code to Windows, I'm not sure if it is true of the most recent versions but you used to be able to license it, that is what allowed things like sysinternals to exist. I might be the naive one but I don't think Microsoft would subvert their own update infrastructure for any reason. The cat is out of the bag now, every malware author out there is probably looking into it right now.

By: Ad hominem

Ad hominem — Fri, 08 Jun 2012 14:54:07 -0800

Unless this is some Obama style jedi 7 dimension chess and they are trying to destroy all existing versions of Windows to force people onto trusted computing platforms. My god, it all makes sense. We are through the looking glass here people.

By: Slothrup

Slothrup — Fri, 08 Jun 2012 14:59:17 -0800

it would naturally tend to move away from exploiting flaws in Microsoft's core proprietary codebase -- that would draw attention to the possibility of that collusion As I understand it, there are a surprisingly large number of entities -- including foreign governments like Russia's -- which have access to Windows source code. It is, perhaps, their assurance that there is no US-government trap door in the OS. But I also think that some people overvalue source code when it comes to finding security problems. I suspect that it's actually easier to work with the binary artifacts directly -- and in fact, security bugs can be introduced during compilation; for instance, by overly aggressive optimization.

By: three blind mice

three blind mice — Fri, 08 Jun 2012 15:01:31 -0800

Obama's virus wars: mutually assured cyber-destruction Mutually assured? Doesn't that mean both sides have the same capability? There you have it: IRAN IS DEVELOPING CYBER WEAPONS OF MASS DESTRUCTION.

By: feloniousmonk

feloniousmonk — Fri, 08 Jun 2012 15:25:41 -0800

I'm sure this will result in some kind of spike on attempts at subverting Windows Update, but I don't think that's unusual. Several years ago I interviewed with a group that provides not WU but a service it relies on to verify OS installs, and I got the distinct impression that they had a significant number of staff dedicated to full time firefighting as people constantly were trying to break the APIs.

By: Nelson

Nelson — Fri, 08 Jun 2012 16:01:47 -0800

I think what's most interesting about Flame is that it's actually older than Stuxnet/Duqu. Also the analyses I've read are coming to the conclusion it's a whole separate codebase, albeit with some shared design characteristics. There's more than one espionage malware stack being developed by the US government, that's fascinating. How many more are there?

By: kjh

kjh — Fri, 08 Jun 2012 16:22:34 -0800

As I understand it, there are a surprisingly large number of entities -- including foreign governments like Russia's -- which have access to Windows source code. It is, perhaps, their assurance that there is no US-government trap door in the OS. But I also think that some people overvalue source code when it comes to finding security problems. I suspect that it's actually easier to work with the binary artifacts directly -- and in fact, security bugs can be introduced during compilation; for instance, by overly aggressive optimization. Though it's implied in your comment, I'll state it outright: having the source means nothing if you don't have the ability to build it. That is, Russia can examine the Windows source code all day long, but if the binary build they're deploying is provided by Microsoft, there isn't any assurance that the binary exactly matches the source. (I'll add as a caveat that I don't believe for a second that Microsoft is directly involved in this or any other such skullduggery.) You can even go a step further and say that even if they have Microsoft's build environment--and even if they have the source code for Microsoft's build environment--they still can't be sure that what ends up being built is semantically identical to the source code. Ken Thompson: Reflections on Trusting Trust.

By: Samizdata

Samizdata — Fri, 08 Jun 2012 21:33:03 -0800

mmrtnt: "The best consequences are always the unintended ones! Because the US government and Microsoft can work hand-in-hand to backdoor "enemies", it won't be long before all the bad guys just use Linux instead. Unintended Consequence: Anyone using Linux is possibly a terrorist. Also, this seems appropriate." Cool, I'm a terrorist now? Add that to my international arms dealer status (crypto export violation as protest) and I am that much closer to a real Bond villian! Even have a fuzzy cat AND a giant monitor! Rest of the lair kinda sucks though.

By: Samizdata

Samizdata — Fri, 08 Jun 2012 21:37:38 -0800

Villain, even. Evil does not preclude typos, unfortunately.

By: yoink

yoink — Sat, 09 Jun 2012 08:26:54 -0800

I, for one, welcome the made-for-TV movie about a team of top-secret virus-writing hacker-spies and their thrilling and sexy adventures. Within 3 years. Mark my words. 'Cause this stuff is gold. "Quick, you need to hack the mainframe!" "I'm almost in! See all those spinning balls? If I can just navigate my hacker-craft past them, you'll see them turn green--that will mean I have control of their mainframe!" "Oh no! You'll have to hack faster! The spinning balls are beginning to turn yellow!" "Quick--you'd better help me hack by typing on the keyboard at the same time as me! Man, this is the toughest mainframe I've ever tried to hack into! I think I might need to undo another button on my blouse so my boobs can cool down from all the hacking they're helping me do." Or has Hollywood gotten better at writing movies about anything related to computers?

By: newdaddy

newdaddy — Sat, 09 Jun 2012 14:21:50 -0800

A former senior Israeli government minister has told us that, just as Sanger confirmed Stuxnet was created in partnership with the IDF's Unit 8200 cyber warfare unit, Flame was created by similar figures in Israel. . The Guardian article seems fairly confident and specific that Flame is both written and used by Israeli entit(ies) but most comments in this thread seem preoccupied with the notion that NSA is somehow responsible. Why is that? Is it reflective of some deeper knowledge or due to conflicting news reporting? Or just cloak-and-dagger fantasies? Am I misunderstanding something?

By: Thistledown

Thistledown — Sun, 10 Jun 2012 05:33:08 -0800

It's an easy thought experiment. Big and Mysterious NSA doing something Big and Mysterious, as opposed to Tiny Israel, y'know?

By: Nelson

Nelson — Mon, 11 Jun 2012 08:23:08 -0800

Back to Stuxnet: the missing link. Kaspersky looks deep into older versions of Stuxnet and finds evidence of shared source code with Flame.

The above conclusions point to the existence of two independent developer teams, which can be referred to as "Team F" (Flame) and "Team D" (Tilded). Each of these teams has been developing its own platform since 2007-2008 at the latest. In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.

By: homunculus

homunculus — Mon, 11 Jun 2012 12:45:57 -0800

StuxNet: Covert Op-Exposing Code In, Covert Op-Exposing Code Out

By: ericb

ericb — Tue, 12 Jun 2012 09:31:12 -0800

Is Flame virus fallout a Chinese, Russian plot to control the Internet?

By: Ad hominem

Ad hominem — Wed, 13 Jun 2012 11:28:08 -0800

Analyzing the MD5 collision

By: homunculus

homunculus — Fri, 15 Jun 2012 14:52:43 -0800

Could US cyberspies have moles inside Microsoft?

By: homunculus

homunculus — Wed, 20 Jun 2012 10:20:22 -0800

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say