Flame fool Windows Update to infect other PCs
Microsoft yesterday launched a patch to fix the vulnerabilities exploited by malware Flame , a highly capable spyware discovered last week by Kaspersky . It is believed that Flame was developed by a government – probably the United States – to Spy to representatives of other countries.
Now, kaspersky discovered that Flame is more intelligent than expected, and has three modules called Snack, Munch Gadget and that “hijack” to Windows Update to spread the virus, making an interesting attack “man in the middle”.
“When a user is updated through Windows Update, the request is intercepted and sent a false update. This update proceeds to download the main body and infect the computer, “said Alexander Gostev, head of research and analysis of Kaspersky Lab When trying to upgrade, the Virus redirects the request to a fake server, allowing you to download the whole virus as if was an update.
The Snack module makes the traffic that occurs within a local network first passing through an infected computer to monitor what is being done. There, the component Munch, a web server receives the redirected traffic, reviews a series of data on the requirements of the PCs that are trying to make inquiries, including whether there are URLs that point to Windows Update, to redirect to the malicious download.
“Hijack Windows Update is not trivial because updates must be signed by Microsoft. However, this restriction Flame skips using a certificate chained to the Microsoft Root Authority and to certify falsely code, “Symantec said. The Gadget module is responsible for certifying false code, making it look official, effectively fooling the system.
Recall that full Flame weighs about 20 MB, making it a very heavy malware.
Microsoft said that Windows Update will work to strengthen, although there is no quick fix for this problem. Additionally, the patch yesterday blocked three fraudulent certificates were being used by Flame to validate the code as if the original Microsoft. Those who are infected may not have many options, but for those not worth applying this patch.
– ‘Gadget’ in the middle: Flame malware spreading vector Identified (Kaspersky Lab)
– W32.Flamer: Leveraging Microsoft Digital Certificates (Symantec)