10:21:00 AM
Unknown
Like archaeologists on a dig, security researchers continue to
unearth some interesting — some terrifying — facts about Flame, the
virus aimed at computers in the Middle East.
For one, Flame did what security professionals have nightmares about malware doing: mimicking Microsoft’s Windows update mechanism and spreading through it.
“Having a Microsoft code-signing certificate is the Holy Grail of malware writers. This has now happened,” Mikko Hypponen, chief research officer at F-Secure, the antivirus company in Helsinki, wrote in a blog post Monday.
Parts of the malware were digitally signed with a valid Microsoft digital certificate, which makes it appear as if it is a harmless software update from Microsoft. What makes that so frightening, researchers say, is that some 900 million Windows computers get their updates from Microsoft Update.
To prevent Flame’s operators or future copycats from spoofing its certificates, Microsoft released an emergency security advisory, and patch, on Monday. But even without the patch, the company noted that the virus was so focused in its scope — it was aimed at computers in the Middle East — that the chance of it spreading on a huge scale was unlikely.
Another reason people need not worry: The virus is no longer spreading. On May 28, the same day researchers announced they had discovered Flame, its command-and-control centers — which had been operating for at least the last four years — went dark.
Over the weekend, security researchers successfully intercepted contact between Flame’s operators and infected computers and redirected their communication to a “sinkhole” operated by Kaspersky Lab, GoDaddy and OpenDNS, in order to glean more information about the attackers’ methods and targets.
Since then, researchers have tied the virus back to more than 80 different command and control servers, all set up by fake aliases, dating as far back as 2008. The names used to register the domains all sound northern European. Among them: Karel Schmid, Werner Goetz, Mark Ploder and Ivan Blix.
Most domains were registered through GoDaddy, using fake addresses in Germany and Austria, many belonging to hotels, shops, organizations, doctor’s offices, or made-up addresses, according to researchers at Kaspersky Lab.
But the most intriguing discovery, so far, is that the virus did a remarkable job of hiding in plain sight. The virus is 20 megabytes in size — more than 20 times the size of most malware — but operated for at least four years, under little cover. Kaspersky Lab researchers noted that Flame’s operators cloaked the virus with basic encryption techniques.
That may say more about the limitations of antivirus industry than it does about attackers’ skills — a point at least one expert was willing to acknowledge.
“Flame was a failure for the antivirus industry,” Mr. Hypponen wrote in a blog post Monday. “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Source: nytimes.com
For one, Flame did what security professionals have nightmares about malware doing: mimicking Microsoft’s Windows update mechanism and spreading through it.
“Having a Microsoft code-signing certificate is the Holy Grail of malware writers. This has now happened,” Mikko Hypponen, chief research officer at F-Secure, the antivirus company in Helsinki, wrote in a blog post Monday.
Parts of the malware were digitally signed with a valid Microsoft digital certificate, which makes it appear as if it is a harmless software update from Microsoft. What makes that so frightening, researchers say, is that some 900 million Windows computers get their updates from Microsoft Update.
To prevent Flame’s operators or future copycats from spoofing its certificates, Microsoft released an emergency security advisory, and patch, on Monday. But even without the patch, the company noted that the virus was so focused in its scope — it was aimed at computers in the Middle East — that the chance of it spreading on a huge scale was unlikely.
Another reason people need not worry: The virus is no longer spreading. On May 28, the same day researchers announced they had discovered Flame, its command-and-control centers — which had been operating for at least the last four years — went dark.
Over the weekend, security researchers successfully intercepted contact between Flame’s operators and infected computers and redirected their communication to a “sinkhole” operated by Kaspersky Lab, GoDaddy and OpenDNS, in order to glean more information about the attackers’ methods and targets.
Since then, researchers have tied the virus back to more than 80 different command and control servers, all set up by fake aliases, dating as far back as 2008. The names used to register the domains all sound northern European. Among them: Karel Schmid, Werner Goetz, Mark Ploder and Ivan Blix.
Most domains were registered through GoDaddy, using fake addresses in Germany and Austria, many belonging to hotels, shops, organizations, doctor’s offices, or made-up addresses, according to researchers at Kaspersky Lab.
But the most intriguing discovery, so far, is that the virus did a remarkable job of hiding in plain sight. The virus is 20 megabytes in size — more than 20 times the size of most malware — but operated for at least four years, under little cover. Kaspersky Lab researchers noted that Flame’s operators cloaked the virus with basic encryption techniques.
That may say more about the limitations of antivirus industry than it does about attackers’ skills — a point at least one expert was willing to acknowledge.
“Flame was a failure for the antivirus industry,” Mr. Hypponen wrote in a blog post Monday. “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Source: nytimes.com
1 σχόλια:
The hackers think up new viruses and malware, and the companies deal with security develop new antivirus SW and improve digital certificate. It is clear it is not pleasant to catch malware from the SW of companies as Microsoft. This time it seems not to be so dangerous, but next time it may be different.
Post a Comment