http://www.h-online.com/security/news/item/Flame-oversights-and-expertise-made-for-Windows-Update-worst-case-scenario-1614234.html
Flame – oversights and expertise made for Windows Update worst case scenario
Flame icon More information about how Windows Update was compromised is gradually coming to light. An oversight by Microsoft appears to have played into the hands of top-class cryptographic experts involved in developing super-spyware Flame.
Flame's developers signed their espionage tool using a faked Microsoft certificate, which they were able to generate using an MD5 collision attack.
Microsoft uses the MD5 hash algorithm, which has long been considered non-secure. Microsoft's
http://www.h-online.com/security/news/item/Windows-Update-compromised-1612246.html
Windows Update compromised
The developers of the Flame superspy managed something that had previously only been imagined by experienced security experts in their sketches of catastrophe scenarios: using the integrated Windows Update to infect Windows systems.
http://www.h-online.com/security/news/item/Flame-alleged-to-have-infected-systems-via-Windows-Update-1604962.html
According to Raiu, a Flame module called Gadget possesses man-in-the-middle functionality which enabled it pass crafted update packages to other computers on the same network. One specific package was called WuSetupV.exe and was signed with a certificate issued by the "Microsoft Enforced Licensing Registration Authority CA", a sub-CA of Microsoft's root authority.
Flame's operators used a number of fake identities to register their domains. According to Kaspersky, server locations included Germany, the Netherlands, the UK, Switzerland, Hong Kong and Turkey. Most victims were running 32-bit editions of Windows 7, with a sizeable 45 per cent running XP. Flame does not work on the 64-bit edition of Windows 7.
https://www.securelist.com/en/blog?weblogid=208193540
Kaspersky Lab has been closely monitoring the C&C infrastructure of Flame. In collaboration with GoDaddy and OpenDNS, we succeeded in sinkholing most of the malicious domains used by Flame for C&C and gain a unique perspective into the operation.
http://www.symantec.com/connect/blogs/w32flamer-microsoft-windows-update-man-middle
For example, if the computer is computerA.group.company.com, Internet Explorer will request wpad.dat from:
wpad.group.company.com
wpad.company.com
Typically, resolution of these domain names will go to the DNS server. However, if the DNS server does not have records registered, Internet Explorer will also use WINS or NetBIOS for name resolution.
NetBIOS name resolution allows computers to find each other on a local network in a peer-to-peer fashion without a central server. Each computer simply broadcasts its own name to identify itself. Obviously, this is not secure and this is how computers can spoof each other.
http://www.h-online.com/security/features/FAQ-Flame-the-super-spy-1587063.html
FAQ: Flame, the "super spy"
The spyware worm Flame is being billed as a "deadly cyber weapon"
What is actually special about Flame?
The spyware program seems to have been used for many years without being discovered, and until that happened, not a single anti-virus program recognised the malware.
http://rmhrisk.wpengine.com/?p=52
That’s right, every single enterprise user of Microsoft Terminal Services on the planet had a CA key and certificate that could issue as many code signing certificates they wanted and for any name they wanted – yes even the Microsoft name!
It doesn’t end there though, the certificates were signed using RSAwithMD5 the problem is that MD5 has been known to be susceptible to collision attacks for a long time
https://www.f-secure.com/weblog/archives/00002377.html
The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn't signed really by Microsoft.
Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries.
Here's what the Certification Path of the certificate used to sign WUSETUPV.EXE looks like:
Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened.
https://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware
https://www.computerworld.com/s/article/9227860/Microsoft_s_reaction_to_Flame_shows_seriousness_of_Holy_Grail_hack
https://www.f-secure.com/weblog/archives/00002377.html
https://technet.microsoft.com/en-us/security/bulletin/ms12-jun
Microsoft Security Bulletin Advance Notification for June 2012
