June 05, 2012, 2:04 PM — Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft's Windows Update mechanism.
Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?
Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company's Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates "signed" by Microsoft.
Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.
"Hijacking Windows Update is not trivial because updates must be signed by Microsoft," noted Symantec on Monday in one of a series of blog posts its researchers have written about Flame.
One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame's development and attacks.
Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure's chief research officer and the first to announce that Flame was abusing Windows Update, called the feat "the Holy Grail of malware writers" and "the nightmare scenario" for antivirus researchers.
But as both Symantec and Kaspersky pointed out, Flame doesn't actually compromise Windows Update. It doesn't somehow infiltrate Microsoft's service -- and servers -- to force-feed malicious files to unsuspecting users.
Instead, a Flame-infected Windows PC can, in some situations, make other machines on a network believe it's Windows Update.
A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE). Flame claims to be the WPAD (Web Proxy Auto-Discovery Protocol) server -- a system that provides proxy settings to copies of IE on the network -- and sends a malicious WPAD configuration file to the requesting PC.
As Symantec noted, WPAD hijacking is not new and is, in fact, part of many hacker toolkits.
The rogue WPAD configuration file modifies the victimized machine's proxy settings so that all Web traffic is routed through the Flame-infected system. On that PC, Flame's Web server, dubbed "Munch" kicks in, detects when the requested URL matches Windows Update's and in return sends a downloader disguised as a legitimate update from Microsoft.