U.S. Gov Hackers using MITM MD5 weakness t...
raccoon
08 Jun 2012
http://arstechnica.c...o-breakthrough/
Quote
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
ViroMan
08 Jun 2012
Yes, I have been reading about this. This is indeed interesting. Although Microsoft is aware of it and has revoked the certificates that flame is known to use.
Edited by ViroMan, 08 June 2012 - 10:14 PM.
Edited by ViroMan, 08 June 2012 - 10:14 PM.
raccoon
08 Jun 2012
Isn't the certificate built into Windows? What does revoking it do for the physical install?
ViroMan
08 Jun 2012
The certificates get update periodically. The physical install is vulnerable to this attack unless the update has been streamed into the cd. If I was the flames creator I would quickly put out an update that blocks this update from being listed.
raccoon
09 Jun 2012
Well, since they already poisoned the DNS for Microsoft Update, the updates offered are selective to the attacker's will.
ViroMan
09 Jun 2012
supposedly the DNS isn't poisoned its any local computer that might be between you and Microsoft update(including your ISP's computers). From what I read here is the life cycle...
a computer in a network gets infected somehow.
Said computer sets itself up as a master update server for Microsoft updates in the local network.
Said computer listens to network traffic for calls that it recognizes as traffic belonging to the update process.
It then responds to them instead of letting the traffic leave the network.
It is now the middle man between Microsoft and uninfected computers.
Rape of your computers ensues.
a computer in a network gets infected somehow.
Said computer sets itself up as a master update server for Microsoft updates in the local network.
Said computer listens to network traffic for calls that it recognizes as traffic belonging to the update process.
It then responds to them instead of letting the traffic leave the network.
It is now the middle man between Microsoft and uninfected computers.
Rape of your computers ensues.
ViroMan
09 Jun 2012
Well there are multi-hash file schemes out there. Torrents use this scheme. Each file is assigned a main hash and multiple mini hashes for segments of that file from 4k to MB's. If you fool the mini hash you won't fool the main hash as easy.(it can still be done I hear.) Although really that takes quite some computing to do doesn't it?
We could always switch fairly easy(programming wise anyways, it would take days to go through the scripts and get new values for each download) to something else should we loose complete faith in MD5's abilities.
Edited by ViroMan, 09 June 2012 - 06:59 AM.
We could always switch fairly easy(programming wise anyways, it would take days to go through the scripts and get new values for each download) to something else should we loose complete faith in MD5's abilities.
Edited by ViroMan, 09 June 2012 - 06:59 AM.
raccoon
11 Jun 2012
Considering how rampant the Flame virus is spreading, I just figured sooner than later. This is a targeted exploit directly in our crosshairs as a project. Even a marketable safeguard if we switched.
ViroMan
11 Jun 2012
Well using this project completely circumvents this malware already. So it is a nice + to use us. 
