Spyware, Viruses, & Security forum


NEWS - June 04, 2012

Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"

Published: 2012-06-04,
Last Updated: 2012-06-04 13:11:12 UTC
by Johannes Ullrich (Version: 2)

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware.

The update revokes a total of 3 intermediate certificate authorities:

• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)

It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame.


Also See: Microsoft Security Advisory (2718704)

'Flame' Malware Prompts Microsoft Patch
Flame Malware Uses Forged Microsoft Certificate to Validate Components
Flame worm was signed by forged Microsoft certificate
Discussion is locked
You are posting a reply to: NEWS - June 04, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - June 04, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Study: Password Security Improves with Age

In reply to: NEWS - June 04, 2012

Baby Boomers may not be perceived as tech savvy as Millenials, but they apparently are better at protecting their digital assets. A new British study believed to be the largest of its kind shows those 55 and older tend to pick passwords with twice the strength of those under 25. It also indicates those who prefer to use German and Korean languages chose the strongest passwords; Indonesian speakers, the weakest.

But that's still not saying much since weak passwords were prevalant across every demographic from a data set that included 70 million anonymized Yahoo accounts analyzed with the Internet giant's permission.

"We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution," wrote computer science researcher Joseph Bonneau of the University of Cambridge in an abstract. (pdf)

Many research projects measure password security by the sophistication of dictionary attacks involved in data breaches. Bonneau's study involved mathematical analytics on active accounts. Because the Yahoo passwords were hashed, Bonneau could not access individual accounts but did cull useful demographic data.

Continued : http://threatpost.com/en_us/blogs/when-it-comes-password-security-age-matters-060112

Over-55s pick passwords twice as secure as teenagers'
Over-55s pick stronger passwords than youngsters
University of Cambridge Study Indicates Grandpa is a Better Password Picker

Collapse -
Malicious PowerPoint File Contains Exploit, Drops Backdoor

In reply to: NEWS - June 04, 2012

From TrendLabs Malware Blog:

We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player (CVE-2011-0611) to drop a backdoor onto users' systems. [Screensht]

Users who open the malicious .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops "Winword.tmp" in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file "Powerpoint.pps", tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, "Winword.tmp" is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malware.

Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.EVL and the dropped backdoor file as BKDR_SIMBOT.EVL. Reports, as well as our own analysis, confirmed that this kind of malware has been used for targeted attacks in the past.

Continued : http://blog.trendmicro.com/malicious-powerpoint-file-contains-exploit-drops-backdoor/

Collapse -
Android's Bouncer malware protection is asleep at the job,

In reply to: NEWS - June 04, 2012

researchers say

In response to a slew of malware-infected apps on the Android Market, Google introduced Bouncer as a security mechanism to keep naughty apps at bay. But according to research from two security experts, Bouncer can easily be tricked to allow malicious apps onto Google Play (formerly the Android Market).

Jon Oberheide, a security expert and CTO at Duo Security, will be presenting his findings alongside security researcher Charlie Miller at the SummerCon conference later this week. The pair have released a teaser video (below) showing one method for bypassing Bouncer.

"This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment," Oberheide wrote in a blog post this morning. "While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we're confident that Google will continue to improve and evolve its capabilities. We've been in touch with the Android security team and will be working with them to address some of the problems we've discovered."

Continued : http://venturebeat.com/2012/06/04/android-bouncer-hack/

To Hide Android Malware From Google's 'Bouncer', Hackers Learn Its Name, Friends, And Habits
Researchers Find Methods for Bypassing Google's Bouncer Android Security
Collapse -
The Vienna Connection? Trying To Stamp Out Flame, Researcher

In reply to: NEWS - June 04, 2012

The Vienna Connection? Trying To Stamp Out Flame, Researchers Find Clues To Its Origins

Researchers at Kaspersky Lab, domain registrar GoDaddy and OpenDNS have taken steps to cut off Internet access for machines infected with the Flame worm. In the process, the researchers say they uncovered a large and complex command and control infrastructure of more than 80 Web domains and collected clues that put the origins of Flame as early as 2008.

Evidence collected from a close analysis of the mysterious malware suggests that Flame is more than three years old and has relied on a huge network of more than 80 command and control Web domains to continue receiving orders from those behind the cyber espionage toolkit, according to posts on Kaspersky Lab's research blog, Securelist, and OpenDNS.com.

The analysis pointed out significant differences between Flame and earlier, APT-style threats like Stuxnet and Duqu, Kaspersky analyst Aleks Gostev wrote on Monday. For example, while Duqu's authors took extraordinary steps to conceal the source of it central command and control server and scripts, Flame's authors were far less careful: dropping control scripts on the dozens of command and control servers that the malware was programmed to consult.

Continued : http://threatpost.com/en_us/blogs/vienna-connection-trying-stamp-out-flame-researchers-find-clues-its-origins-060412

Aleks Gostev @ Securelist : The Roof Is on Fire: Tackling Flame's C&C Servers

Related: Iran-targeting Flame malware used huge network to steal blueprints
Collapse -
'Gadget' in the middle: Flame malware spreading vector..

In reply to: NEWS - June 04, 2012

.. identified

From the Kaspersky Lab Weblog:

In our FAQ on Flame posted on May 28, 2012, we postulated there might be a still undiscovered zero-day vulnerability in Flame:

"At the moment, we haven't seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day."

Our suspicion was heightened because fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

We can now confirm this is the main purpose of a special module of Flame called "Gadget" together with another module called "Munch".

(NOTE: It's important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The "Gadget" module is simply used to spread within a network from a machine that is already infected with the malware).

The "Gadget" and "Munch" modules implement an interesting man-in-the-middle attack against other computers in a network.

When a machine tries to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client.

The fake update claims to be the following:

"update description="Allows you to display gadgets on your desktop."
displayName="Desktop Gadget Platform" name="WindowsGadgetPlatform">

In the process of infecting a client, 8 CAB files are used. One of them contains a specifically built program called WuSetupV.exe: [Screenshot]

Continued : https://www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified

Related: Flame abused Windows Update to spread
Collapse -
The Pros and Cons of Letting the Kids Join Facebook

In reply to: NEWS - June 04, 2012

Following its $16 billion infusion from its recent IPO, the world's largest social network is reportedly developing a technology that would allow children to access Facebook under parental supervision.

A Facebook spokesperson neither confirmed nor denied that they are developing such technologies, saying in an email that the company had nothing to announce. The original report came from the Wall Street Journal.

It is important to note that Facebook currently has a policy that bars children under 13 from creating an account, though it is widely understood that such a rule is incredibly difficult to enforce.

The move would open a vast, long-term, and impressionable market for the newly public company. Investors will no doubt welcome the idea as Facebook struggles with its tempestuous post IPO period; however, privacy and children's advocates are obviously concerned.

Common Sense Media's CEO James Meyer released the following statement today, saying the move could have serious consequences for younger users.

Continued : http://threatpost.com/en_us/blogs/pros-and-cons-letting-kids-join-facebook-060412

Collapse -
Flame Hijacks Microsoft Update to Spread Malware Disguised..

In reply to: NEWS - June 04, 2012

,, As Legit Code - (Related to first post in this thread)

[Screenshot: Flame Rogue Certificate]

It's a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

And that's exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.

"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday.

Continued: http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/
Collapse -
Win8's AV will kick in after other solutions stop working

In reply to: NEWS - June 04, 2012

Last week, McAfee shared the findings of a year-long project that revealed that some 17 percent of all the tested PCs around the globe had either no AV software installed or they have and it's not active, making its users vulnerable to malware.

This week, Gary Davis, director of global consumer product marketing for McAfee, has revealed that Windows 8 will have built-in antivirus protection in the guise of "Windows Defender", which will activate itself if it doesn't detect another active AV solution.

Windows Defender has already been announced by Microsoft in September, and has been seen in action during the various previews of the upcoming version of the popular operating system.

Still, the company will allow third-party vendors to stake their claim to the machines installed with it first. According to Computerworld, this decision stems from Microsoft's wish to keep a good relationship with original equipment manufacturers.

OEMs usually preinstall their machines with trial AV solutions of this or that third-party vendor, and get a cut from each sale of a full version once (and if) the user decides to upgrade.

So, Windows Defender will only be activated if there is no other AV working on the machine. And if such a software has stopped receiving updates, for the next 15 days Windows will be popping up a window asking the user to update or upgrade that particular solution, and offering the option of Windows Defender - but also other software choices - for download from the Microsoft Store.

Continued: http://www.net-security.org/secworld.php?id=13034

Also: Windows 8's built-in antivirus will put third-party products first

Collapse -
Hacker group hits Warner Bros and China Telecom

In reply to: NEWS - June 04, 2012

A group calling itself SwaggSec is claiming to have hacked the networks of Warner Bros and China Telecom, and has released documents and logins online.

In a statement on Pastebin, the group says that both companies had severe vulnerabilities.

"China Telecom's SQL server had an extremely low processing capacity, and with us being impatient, after about a month straight of downloading, we stopped. However, a few times we accidentally DDoS'd their SQL server. I guess they thought nothing of it, until we left them a little message signed by SwaggSec," it says.

"They realized they were hacked, and simply moved their SQL server. No changing of admin passwords, or alerting the media. At any moment, we could have and still could destroy their communication infrastructure leaving millions without communication."

SwaggSec has also released the details of what it claims are over 900 admin users for China Telecom. It's published the login for this, and is encouraging people to access and tamper with its data.

Continued : http://www.tgdaily.com/security-features/63800-hacker-group-hits-warner-bros-and-china-telecom

'SwaggSec' claims hack of China Telecom, Warner Bros.
Swagg Security Leaks Data from China Telecom and Warner Bros

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.