2. A WEAPON MADE OF CODE
• In 2010 Stuxnet grabbed headlines for being the first digital
weapon that targeted physical infrastructure
• The revolution did not stop there: in 2012 a new type of
malware was found attacking computers all around the world
• Known as “Flame”, this malware was vastly more complex than
either Stuxnet or Duqu
• Flame is NOT the successor to Stuxnet – Flame is built on an
entirely different platform
• However Flame has sections of code which are identical to an
early variant of Stuxnet
3. CYBER ESPIONAGE –
STEALING INFO
• Flame is meant to steal vast quantities of information
• Information is stolen from an infected computer using a
variety of methods: browsing storage, log keystrokes, turning
on the webcam and Bluetooth
• Flame supports multiple encryption and compression methods
to obscure the information it gathers
• All gathered information is sent to a remote C & C server if a
network connection
• Or Flame can infect a USB stick, spread to another computer
and use it’s network connection to transmit data
4. WHAT DO BEETLEJUICE,
MICROBE AND BUNNY HAVE IN
COMMON?
• All three – and many others – are examples of modules include
in Flame
• Flame has a wide range of functionalities and each function is
handled by a specific module
• Beetlejuice turns on the Bluetooth and Microbe turns on the
microphone for information gathering
• Security checks for the presence of security software
• The purpose of modules such as Bunny and Driller are
currently unknown
• Flame installs its modules on an infected computer, unlike
Duqu which downloads them as needed
5. CYBER ESPIONAGE – NOT
GETTING CAUGHT
• As mentioned before Flame checks for any security software
installed, using an extensive list of over 300 entries
• The malware can even modify itself depending on what kind
of security product is installed, such as its extension type
• Flame injects code into running processes like other malware,
but does so in a way that cannot be found using a conventional
memory scan
• Flame is engineered to cause minimal disruption – creates
mutexes to keep only one instance of itself running
6. THE SPREAD OF FLAMES
• Flame has multiple means for spreading itself to other
computers
• The malware can infect a USB stick; when the USB stick is
plugged into another computer, Flame will infect the new
device
• A more ingenious method is to disguise itself as an installer for
Windows Update
• Man-in-the-Middle Attack: when nearby devices attempt to
download updates, they are in fact connecting to the infected
computer and downloading malware
7. Compute
r
Compute
r
Infected
Computer
Windows
Server
•The computer infected with Flame is disguised as a proxy for
Windows Update
•Other devices connect to the infected computer, believing it to be a
legitimate proxy for Windows
•But in actuality they are downloading and installing Flame, not
actual updates
•For this to work Flame must appear as if it were created by
Microsoft; requires a fake certificate and signature
8. Microsoft
Activation
Server
Licensing ServerClient
Public KeyPrivate Key
•When a licensing server is activated, it may obtain a certificate from
Microsoft in an automated process
•The licensing server generates a public and private key pair, than
sends an activation request to the activation server along with the
public key
•The activation server responds with a certificate for the public key,
signed by a Microsoft issuing authority
•Since the private key matches the public key (as well as the
certificate), the private key can now be used to sign licenses
9. PROBLEMS?
• Process is automated – no verification of the person who is
actually requesting the certificate
• No identifying information on the certificate, only the licensing
server name
• No restrictions on how the certificate may be used – meant to
be used to sign licenses, but the private key may also be used to
sign code (such as Flame)
• Essentially this allows anyone with a licensing server to obtain
their own certificate and sign code as if it were made by
Microsoft
10. ZERO DAY: CREATING FAKE
YET VALID CERTIFICATES
• Certificates signed by Microsoft in this way have a Hydra
Extension
• The Hydra Extension prevents certificates from being validated
on Vista and Windows 7
• The attackers wanted Flame to validate on all versions of
Windows; hence they needed to make their own fake
certificate that would not have the Hydra extension
• In order for this fake certificate to validate as being
legitimately signed by Microsoft, it would need the same hash
value as an authentic certificate
11. MD5 HASH COLLISION
ATTACK
• MD5 refers to the algorithm used to generate hash values –
input a file into the algorithm and it will generate a hash value
to identify the file
• Ideally there are no overlap of hash values and each unique
file will have its own hash value
• A hash collision attack creates two different files that when
placed into the algorithm, will generate the same hash value
being assigned to both files
• This is done by adding specially computed blocks to both files
until their hash values match, or “collide” with each other
12. HASH COLLISION IN FLAME
• The attackers used a hash collision attack to create a fake
certificate that would match the hash value of an authentic
certificate, signed by Microsoft
• This fake certificate would not have the Hydra extension and
can be used on all versions of Windows
• But how would the attackers know the exact hash value of the
authentic certificate, before Microsoft had even issued it?
• Answer is they do not: the attackers would have to predict the
hash value of the signed certificate along with all the other
information on it
13. First Certificate Second Certificate
•Attackers would begin by using hash collision to create two
certificates with matching hash values
•The public key for the second certificate would be sent to the
activation server, as a normal activation request
•Activation server would respond by recreating the certificate that
the attackers predicted would be made
•When successful, the result is a fake certificate that matches the
hash value of an authentic certificate
Fake
Certificate
Authentic
Certificate
Flame Activation
Server
14. THE RESULT
• The attackers would have a fake certificate that matches the
hash value of an authentic certificate
• The content of the fake certificate would be different – it has
no hydra extension and the device name is “MS” to spoof
Microsoft
• But digital signatures depend on hash value: since the hash
values of the fake and authentic certificate are identical, the
fake certificate can now be used to sign code
• Thus the fake certificate was used to sign Flame, allowing it to
validate as Windows Update on all versions of Windows