Flame was one of the most complex cyber threats ever discovered. It used sophisticated techniques like man-in-the-middle attacks and intercepting Windows Update to infect systems. The attackers were able to forge digital certificates due to a weakness in the MD5 hash function, allowing them to disguise malware as legitimate Microsoft software updates. This presentation discusses Flame's technical capabilities and the challenges it posed for security professionals working to understand and mitigate the threat.

1. Session ID:
Session Classification:
Mike Reavey
Microsoft Security Response Center
HTA-R31
Advanced
Elia Florio
Microsoft Security Response Center

2. FLAME: GOALS OFTHISTALK
Understand
Flame Infection
See the complexity of
attacks facing customers
Discuss how applies
to your environment
Demonstrate high-stake
IR decisions

3. “Flame can easily be described as one of the
most complex threats ever discovered. It’s big and
incredibly sophisticated,” said Alexander Gostev,
Kaspersky Lab’s head of global research and
analysis in a blog post. “It pretty much redefines
the notion of cyberwar and cyberespionage.”

4. FLAME: A COMPLEX ATTACK
Get in the Middle of Network Traffic
Make it work on all OSs (MD5)Pass a code sign check (TS)
Intercept a WU Client Update

5. NBNS DNS
ARP
WINS
(MS09-008)Man-in-the-Middle
NETWORK MAN INTHE MIDDLE

6. NetBIOS/WINS
(WPAD.DAT)
MAN-IN-THE-MIDDLE (WPAD)

7. INTERCEPTWINDOWS UPDATE
How the
Windows
Update Client
Updates Itself
changes to WU
self-update files
Intercept a WU
Client Update

8. WU SELF-UPDATE
Wuredir.cab Wuident.cab Wusetup.cab wsus3setup.cab
WuSetup
Handler.cab
Software Updates (Content)WU Self-Updates

9. Wuredir.cab Wuident.cab Wusetup.cab wsus3setup.cab
WuSetup
Handler.cab
WU Self-Updates
Wuident.cab Wusetup.cab wsus3setup.cab
WuSetup
Handler.cab

10. MITM ON CORPORATE NETWORK
Wuredir.cab Wuident.cab Wusetup.cab wsus3setup.cab
WuSetup
Handler.cabWuident.cab Wusetup.cab wsus3setup.cab
WuSetup
Handler.cab
Windows Update
Corporate Network

11. Certificates belong to Terminal
Server Licensing Manager
Validly chain back to
Microsoft Root Authority
Signed by
Unauthorized Certificates
LOOKING ATTHE SIGNATURES

12. CERTIFICATE HIERARCHY
MICROSOFT CONFIDENTIAL
Terminal
Server
Licensing
Hierarchy
Windows
Signing
Hierarchy
Microsoft Root Authority
Microsoft Windows Verification
PCA
Microsoft Windows
Microsoft Enforced Licensing
Intermediate PCA
Microsoft Enforced Licensing
Registration Authority CA
Microsoft LSRA PA
Signed Binaries
CAB, DLL, etc.
MS
Malware

13. CERTIFICATE HIERARCHY
Microsoft Windows Verification
PCA
Microsoft Windows
Signed Binaries
CAB, DLL, etc.
MICROSOFT CONFIDENTIAL
Windows
Signing
Hierarchy
Valid for
code signing
Issued certificates
to customers
using MD5RSA
Corpnet
Environment
Microsoft Root Authority
Microsoft Enforced Licensing
Intermediate PCA
Microsoft Enforced Licensing
Registration Authority CA
Microsoft LSRA PA
MS
Malware

14. TERMINAL SERVICE LICENSING
Certificate as-is would not work on
Windows Vista and later due to an
Critical extensions are required for X509 validation.
If a crypto implementation does not understand an
extension marked critical, it should fail the validation.
Windows XP: allowed unknown critical extensions
Windows Vista and later: failed unknown critical extensions
MICROSOFT CONFIDENTIAL
Remove the critical Microsoft Hydra Extension Options
• Disable the critical bit
• Remove only the Microsoft Hydra Extension
• Remove all extensions
Forged certificate required for all options
• Use of MD5 hash function made forgery possible
• Entire extension block was removed

15. COLLIDING CERTIFICATES
MICROSOFT CONFIDENTIAL
Attacker wants to
remove the critical
unknown extension And use of MD5
presents an opportunity

16. COLLIDING CERTIFICATES
MICROSOFT CONFIDENTIAL
To pull off a MD5 collision attack the
attacker needs to forge a certificate
that has a bit-for-bit identical MD5
hash of the one from TSLM
The key to this is predictability
over what the TSLM will sign.

17. S/N
Validity
CN=MS
Y-bit RSA public key
Issuer Unique ID
Extensions
COLLIDING CERTIFICATES
MICROSOFT CONFIDENTIAL
Unmodified bytes
Chosen-prefix
(Partially modified)
IssuerUniqueId field is
an obsolete X509-ism.
Attacker uses it to
encompass the
unwanted extension

18. Version: 3
Serial Number: 1b7e
Signature Algorithm:
Algorithm ObjectId: 1.3.14.3.2.3 md5RSA
Algorithm Parameters:
05 00
Issuer:
CN=Microsoft LSRA PA
DC=partners
DC=extranet
DC=microsoft
DC=com
NotBefore: 2/19/2010 2:48 PM
NotAfter: 2/19/2012 2:48 PM
Subject:
CN=MS
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 a6 89 43 6f c6 ca 9d
0010 42 ad bd 28 d5 46 49 e0 55 f2 cc 38 e0 3d c0 7c
0020 ba 1d ca bb 92 c4 be 4c 5f 1a f9 d6 42 4b 34 0b
0030 2f 8a ac cb 97 31 ef 76 2f c3 85 af 95 93 47 46
0040 f6 ff 7c ca df c8 f9 d0 6a ec df 0e 91 55 23 ab
0050 64 06 90 d3 37 83 a8 0e 3e 5e 7f 77 35 66 74 20
0060 87 42 1f 25 17 8a d5 28 05 38 05 c8 48 6d 63 76
0070 3e fd 5a 11 67 07 09 6d 98 a3 08 4a f1 11 7f 80
0080 a7 4e 37 d4 f0 0e 34 7a d5 ba 83 ad 60 1e 57 44
0090 65 50 72 cd af 1e d0 1e 30 c2 eb 6a 51 e2 aa 54
00a0 85 57 fa 9c b1 59 e8 24 5e d4 38 d3 56 81 68 d5
00b0 05 8b 48 25 92 a2 11 1b e8 51 54 d9 d9 04 60 ee
00c0 1c fb 6a ec f0 6e 38 bb ad da 35 87 63 74 86 ef
00d0 1f cd 80 92 a2 98 3a 97 9a bd 35 d1 7d 2e 3a 47
00e0 04 48 17 74 db a3 67 d9 82 78 e0 77 2c cc ac 39
00f0 61 a6 d8 9d aa fc de 6f 60 4c 7c 73 07 31 93 2f
0100 67 28 4a 7e d1 ae 4c 42 dd 02 03 01 00 01
FORGING A CERTIFICATEWITH MD5
01ef: | | 02 03 ; New RSA public exponent
01f1: | | 01 00 01
01f4: | 81 82 03 78 ; Issuer Unique Id TAG (378 Bytes)
01f8: | 00 6a 4c e0 1f f5 91 69 b2 74 36 f0 7f 7b 4b 7b
Issuer Unique Id:
0000 6a 4c e0 1f f5 91 69 b2 74 36 f0 7f 7b 4b 7b c6 jL....i.t6..{K{.
0010 be eb 3f 9f 98 3d a3 84 87 54 7e 72 87 71 25 4b ..?..=...T~r.q%K
0020 68 35 ae 65 bd 6c 8f dc 8d ac c4 e8 98 92 de dc h5.e.l..........
0030 53 62 f5 72 6a 25 27 a3 12 46 eb 7f 6d 58 cd 30 Sb.rj%'..F..mX.0
0040 83 d7 7a 85 b8 48 e6 0e 01 11 68 65 7d 53 38 0b ..z..H....he}S8.
0050 40 f4 3b 68 43 59 c1 3c 05 c3 40 26 9d 51 97 e2 @.;hCY.<..@&.Q..
0060 eb 2e b8 c2 19 6e 4e 94 46 3b d8 d4 fd 0d 00 d1 .....nN.F;......
0070 68 fa df f3 fa 18 8a 7c 65 9b da 23 11 9f 16 a6 h......|e..#....
0080 8b 23 24 88 87 22 69 19 c2 11 ea 9d 36 81 ad fb .#$.."i.....6...
0090 e8 8b d2 d0 eb 06 f2 1a 86 8d c6 84 f3 88 c5 e0 ................
00a0 d9 64 c6 48 95 d4 be d3 54 48 91 e6 6c e9 1e 33 .d.H....TH..l..3
00b0 97 15 42 ee b4 6d 1f 15 0b 27 dd 08 bb 81 de b6 ..B..m...'......
00c0 96 16 39 d9 26 44 6a 5f d1 6b 3f 12 71 dc f0 99 ..9.&Dj_.k?.q...
00d0 62 d2 43 14 58 f8 6e f8 22 35 d2 90 f7 fd 93 6a b.C.X.n."5.....j
00e0 c4 49 b8 cb 0c e9 65 a8 f7 22 b5 f2 05 19 20 ef .I....e..".... .
00f0 25 63 c7 b3 97 4a 82 3e b2 e3 ee b4 5e cb 1d b3 %c...J.>....^...
0100 59 8f 8d f4 79 01 b1 b6 68 89 14 b4 8f 9d 60 d7 Y...y...h.....`.
0110 71 a5 3d 95 02 03 01 00 01 a3 82 02 5a 30 82 02 q.=.........Z0..
0120 56 30 1d 06 03 55 1d 0e 04 16 04 14 9a 9a 5d 77 V0...U........]w
0130 bd 84 66 a4 f1 de 18 10 1b 6e 67 a5 97 c1 14 87 ..f......ng.....
0140 30 1f 06 03 55 1d 23 04 18 30 16 80 14 75 e8 03 0...U.#..0...u..
0150 58 5d fb 65 e4 d9 a6 ac 17 b6 03 7e 47 ad 2e 81 X].e.......~G...
0160 af 30 81 c2 06 03 55 1d 1f 04 81 ba 30 81 b7 30 .0....U.....0..0
0170 81 b4 a0 81 b1 a0 81 ae 86 56 68 74 74 70 3a 2f .........Vhttp:/
0180 2f 74 6b 78 70 61 73 72 76 33 36 2e 70 61 72 74 /tkxpasrv36.part
0190 6e 65 72 73 2e 65 78 74 72 61 6e 65 74 2e 6d 69 ners.extranet.mi
01a0 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 43 65 72 74 crosoft.com/Cert
01b0 45 6e 72 6f 6c 6c 2f 4d 69 63 72 6f 73 6f 66 74 Enroll/Microsoft
01c0 25 32 30 4c 53 52 41 25 32 30 50 41 2e 63 72 6c %20LSRA%20PA.crl
01d0 86 54 66 69 6c 65 3a 2f 2f 5c 5c 74 6b 78 70 61 .Tfile://tkxpa
Leftover RSA
public exponent
216+1
Certificate
extensions
beginning mark
New RSA public
exponent 216+1
Tag octet 0x81
injected by the
attacker to make
IssuerUniqueID

19. FORGING A CERTIFICATEWITH MD5
0000: a3 82 02 5a ; OPTIONAL[3] (25a Bytes)
0004: | 30 82 02 56 ; SEQUENCE (256 Bytes)
0008: | 30 1d ; SEQUENCE (1d Bytes)
000a: | | 06 03 ; OBJECT_ID (3 Bytes)
000c: | | | 55 1d 0e
| | | ; 2.5.29.14 Subject Key Identifier
000f: | | 04 16 ; OCTET_STRING (16 Bytes)
0011: | | 04 14 ; OCTET_STRING (14 Bytes)
0013: | | 9a 9a 5d 77 bd 84 66 a4 f1 de 18 10 1b 6e 67 a5 ; ..]w..f......ng.
0023: | | 97 c1 14 87 ; ....
0027: | 30 1f ; SEQUENCE (1f Bytes)
0029: | | 06 03 ; OBJECT_ID (3 Bytes)
002b: | | | 55 1d 23
| | | ; 2.5.29.35 Authority Key Identifier
002e: | | 04 18 ; OCTET_STRING (18 Bytes)
0030: | | 30 16 ; SEQUENCE (16 Bytes)
0032: | | 80 14 ; CONTEXT_SPECIFIC[0] (14 Bytes)
0034: | | 75 e8 03 58 5d fb 65 e4 d9 a6 ac 17 b6 03 7e 47 ; u..X].e.......~G
0044: | | ad 2e 81 af ; ....
0048: | 30 81 c2 ; SEQUENCE (c2 Bytes)
004b: | | 06 03 ; OBJECT_ID (3 Bytes)
004d: | | | 55 1d 1f
| | | ; 2.5.29.31 CRL Distribution Points
0050: | | 04 81 ba ; OCTET_STRING (ba Bytes)
0053: | | 30 81 b7 ; SEQUENCE (b7 Bytes)
0056: | | 30 81 b4 ; SEQUENCE (b4 Bytes)
0059: | | a0 81 b1 ; OPTIONAL[0] (b1 Bytes)
005c: | | a0 81 ae ; OPTIONAL[0] (ae Bytes)
005f: | | 86 56 ; CONTEXT_SPECIFIC[6] (56 Bytes)
0061: | | | 68 74 74 70 3a 2f 2f 74 6b 78 70 61 73 72 76 33 ; http://tkxpasrv3
0071: | | | 36 2e 70 61 72 74 6e 65 72 73 2e 65 78 74 72 61 ; 6.partners.extra
0081: | | | 6e 65 74 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f ; net.microsoft.co
0091: | | | 6d 2f 43 65 72 74 45 6e 72 6f 6c 6c 2f 4d 69 63 ; m/CertEnroll/Mic
00a1: | | | 72 6f 73 6f 66 74 25 32 30 4c 53 52 41 25 32 30 ; rosoft%20LSRA%20
00b1: | | | 50 41 2e 63 72 6c ; PA.crl
Key Identifier
Certificate
extensions
beginning mark
Key Identifier
CRL points

20. FLAME INJECTION IN SUMMARY
Get in the Middle of Network Traffic
Make it work on all OSs (MD5)Pass a code sign check (TS)
Intercept a WU Client Update

21. ► Insert Flame Infection Demo by Elia

22. CRISIS PLANNING
Protect the Channel
7 10 days3 4 days
Untrust Certificates
Get the certificates, figure out WU, pwnage3 days
Response Plan
Untrust Certificates
5 7 days
Protect the Channel
5 7 days
Get the certificates, figure out WU, pwnage
12 days?
Response Plan B
Shawn
Hoffman
Elia
Florio
Neil
Sikka
Cristian
Craioveanu

23. SECURITY ADVISORY 2718704
Crysys, Symantec,
and Kaspersky make
details public about a
new attack of similar
nature to Stuxnet.
SSIRP declared
Based on indication
that Flame malware
includes modules
signed by Microsoft.
Incident response teams
immediately mobilized.
Security Advisory #2718704
Microsoft releases an update that
moves three Microsoft intermediate
certificate authorities into the
Untrusted Certificate Store in
response to Flame.
Update Channel Hardening
Microsoft releases defense-in-depth
packages to harden the update channel.
5/28 5/29 6/3 6/8

24. Security Advisory 2718704
IMMEDIATE RESPONSE
Harden Update Channel
• 3 Unauthorized certificates revoked
through the Certificate Revocation
List and added to Untrusted
Certificate Store.
• Once installed, the update stopped
the attack from being able to use the
unauthorized certificates.
• Windows Update service
upgrades SSL certificate.
• Windows Update and WSUS release
client updates to further restrict and
harden checks to the update channel.

25. ADDITIONAL MEASURES
Certificate Trust List
feature (June)
Additional Certificates
Revoked (July)
• Back ported new feature (CTL) from
Windows 8 to Vista and above.
• Allows for dynamic untrusting of
certificates and certificate authorities
through Windows Update channel.
• Provides immediate user
protection without interaction
• Security Advisory 2728973
• Revoked 28 additional
code sign certificates
• Revoked additional SSL certificates
• All discovered through internal
review as not stored with best
practice security
• No any indication of
use in attack or breach
Minimum Encryption
Level (August)
• Releasing August 2012 on DLC
• Will be Mandatory
(Automatic Update)
• Certificates having keys smaller than
1024 bits treated as untrusted.
• Harder for attackers to
break certificate security.

26. REVIEW
MICROSOFT CONFIDENTIAL
Small service, big impact
Dependencies between development and operations
Incident Response is as complex as the most complex attacks
Prevent, Detect, Contain, and Resolve key for this class of attacks
• TSLM designed in 1999 yields Windows Update compromise
• TSLM storing key pairs locally, not expecting code-sign capabilities
• WU trusting code-sign, not expecting PKI ops to delegate authority
• Hub and Spoke key - allows for strategy changes and minority opinion

27. TAKE AWAYS
MICROSOFT CONFIDENTIAL
Prevent
Detect
Contain
Resolve
• XSS allowing attacks in the cloud
• Insiders with unintended access
• Telemetry in the cloud w/ health systems
• Cross company SIEM
• Isolation of critical components in development and operations
• Least privilege, network segmentation
• Coordination across business units
• Local IR integrates well with Corporate IR
• Set a min bar with SDL
• Provide training, tools, automation
• Provide clear exception process
• Encourage increased investment in key areas
Development
• Establish min bar with Operational Security
• Leverage existing standards, tools, and processes
• Work in partnership with IT and Data Centers
to minimize duplication of effort
Operations
• Address areas of increased risk that need more than min-bar focus
• Includes trust assumptions, like PKI, trusted services, etc.
Systematic Areas

28. Thank you