9 replies to this topic

[raccoon]

http://arstechnica.c...o-breakthrough/

Quote

Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

[ViroMan]

Yes, I have been reading about this. This is indeed interesting. Although Microsoft is aware of it and has revoked the certificates that flame is known to use.

Edited by ViroMan, 08 June 2012 - 10:14 PM.

[raccoon]

Isn't the certificate built into Windows? What does revoking it do for the physical install?

[ViroMan]

The certificates get update periodically. The physical install is vulnerable to this attack unless the update has been streamed into the cd. If I was the flames creator I would quickly put out an update that blocks this update from being listed.

[raccoon]

Well, since they already poisoned the DNS for Microsoft Update, the updates offered are selective to the attacker's will.

[ViroMan]

supposedly the DNS isn't poisoned its any local computer that might be between you and Microsoft update(including your ISP's computers). From what I read here is the life cycle...

a computer in a network gets infected somehow.
Said computer sets itself up as a master update server for Microsoft updates in the local network.
Said computer listens to network traffic for calls that it recognizes as traffic belonging to the update process.
It then responds to them instead of letting the traffic leave the network.
It is now the middle man between Microsoft and uninfected computers.
Rape of your computers ensues.

[raccoon]

Time we switched Autopatcher to SHA-9000

[ViroMan]

Well there are multi-hash file schemes out there. Torrents use this scheme. Each file is assigned a main hash and multiple mini hashes for segments of that file from 4k to MB's. If you fool the mini hash you won't fool the main hash as easy.(it can still be done I hear.) Although really that takes quite some computing to do doesn't it?

We could always switch fairly easy(programming wise anyways, it would take days to go through the scripts and get new values for each download) to something else should we loose complete faith in MD5's abilities.

Edited by ViroMan, 09 June 2012 - 06:59 AM.

[raccoon]

Considering how rampant the Flame virus is spreading, I just figured sooner than later. This is a targeted exploit directly in our crosshairs as a project. Even a marketable safeguard if we switched.

[ViroMan]

Well using this project completely circumvents this malware already. So it is a nice + to use us.