Flame abused Windows Update to spread

You have probably already heard that Microsoft released an out-of-band update that revokes three rogue certificates that were used to sign a couple of modules of the recently discovered Flame (SkyWiper) toolkit.

What you might still not have heard is how some of the malware’s modules – namely ones called “Gadget” and “Munch” – were responsible for spreading Flame to other machines in the same network as an already infected one.

Initially, Kaspersky Lab experts thought computers were infected via an unknown 0-day vulnerability, as fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

But then they discovered that the aforementioned two modules implemented a MITM attack against other computers in their own network.

“When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client,” the researchers shared.

This fake update contained a number of files, and among them was WuSetupV.exe, signed by one of the rogue Microsoft certificates, which allowed it to be run without warning or interference, and drop Flame into the targeted machine.

“The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to ‘Auto’,” the Kaspersky Lab researchers pointed out.

So, while the existence of a 0-day flaw that is misused to infect the initial machine is almost certain, it’s also certain that Flame possesses other abilities for propagating.

“Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened,” F-Secure’s Chief Research Officer Mikko Hypponen commented.

“I guess the good news is that this wasn’t done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.”

Don't miss