mysecPremium
join:2005-11-29
kudos:4 | reply to Name Game
Re: F-Secure's CRO: Why We Didn't Catch Stuxnet & Flame said by Name Game:I rather think some mole walked into the facilities and did it with a flash drive or some other direct way for stuxnet..
Yes, that's been established -- I quoted one source in my first post above.
said by Name Game:no one has really come to terms/proof on Flame.
Again, until that is established, all is conjecture.
said by Name Game:Thumbprint of the certificate that was used to sign WUSetupV.exe used by the Flame malware. 1d 19 0f ac f0 6e 13 3e 87 54 e5 64 c7 6c 17 da 8f 56 6f bb or 1d190facf06e133e8754e564c76c17da8f566fbb
»twitpic.com/9sqi2x/full
Can you explain how an attacker would use this?
thanks,
----
rich |
|
|
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | »www.f-secure.com/weblog/archives···377.html |
|
mysecPremium
join:2005-11-29
kudos:4 | Thanks, Name Game. Now, things are becoming a bit clearer:
Microsoft certification authority signing certificates added to the Untrusted Certificate Store
»blogs.technet.com/b/srd/archive/···ore.aspx
Connection to Flame malware
Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority.
Microsoft Update and The Nightmare Scenario
»www.f-secure.com/weblog/archives···377.html
The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
These analyses start from the standpoint that the main Flame binary is already installed on the computer, which in turn, downloads more components. As of yet, we do not know the point of entry for the initial component.
The file called WUSETUPV.EXE --signed or not-- would be blocked from dropping on to any computer protected as I described in my previous posts.
That is, until something further is revealed!
----
rich
|
|
 rcdaileyDragoonflyPremium
join:2005-03-29
Rialto, CA
 ·RoadRunner Cable
| reply to mysec
How do you know, in fact, that the Iranian double-agent did not have Administrator privileges on that network? Maybe he was just a user or maybe he was something more elevated. Anyway, your points are good because if ability to load some file is more limited then it should be easier to identify the culprit and eliminate him (with extreme prejudice).
--
It is easier for a camel to put on a bikini than an old man to thread a needle. |
|
mysecPremium
join:2005-11-29
kudos:4 | said by rcdailey:How do you know, in fact, that the Iranian double-agent did not have Administrator privileges on that network? Maybe he was just a user or maybe he was something more elevated.
I wrote this in my first post:
Looking at the methods of attacks -- points of entry -- it's evident that the biggest security failure is allowing users (non-Administrators) in these facilities to be able to install programs. And, by consequence, permitting a remote code execution exploit to succeed:
We don't know that Administrator/User accounts were configured on those computers.
Anyway, it's hard to imagine that a double agent was any higher on the ladder of authority than a low or medium level user w/o Administrator access. Not impossible, of course, but until other information surfaces, I'm assuming this.
If he/she was a high level person, then they have more problems than have been revealed to this point!
Again, all we can do is conjecture and speculate. We may never know all of the details.
While all of these stories make for intriguing reading, more to the point, it seems to me, is that we all make sure that such a compromise could not happen on our systems!
----
rich |
|
mysecPremium
join:2005-11-29
kudos:4 | Earlier, I noted that the analyses so far seem show how modules and components are downloaded to a machine already infected with Flame, and then the actions they carry out.
This adds to my observation:
‘Gadget’ in the middle: Flame malware spreading vector identified
»www.securelist.com/en/blog/20819···entified
(NOTE: It's important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The "Gadget" module is simply used to spread within a network from a machine that is already infected with the malware).
My bolding.
----
rich |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | Yes..thought you picked up on the gadget info already here
»Re: F-Secure's CRO: Why We Didn't Catch Stuxnet & Flame
Flame intercepts Windows Update requests via a Windows Update “proxy” using the Web Proxy Auto-Discovery Protocol
Microsoft’s revocation of this Intermediate CA does not affect the trustworthiness of any other certificate issued by Microsoft itself. Only certificates issued to users of Terminal Server would need to have their certificates reissued by their system admins.
To pull off this attack, the worm module creates a server called MSHOME-F3BE293C on the infected machine, and intercepts Windows update requests from nearby machines if the network settings allow a Windows update “proxy” using the Web Proxy Auto-Discovery Protocol. The server supplies a signed executable within CAB packages for Windows Update on the local network. (Such redirection attack opportunities have been discussed publicly, many times.) This step facilitates the infection of the local network, with a very silent, “below the radar” distribution mechanism.
An updated map of Skywiper infections based on our current information looks like this:
»blogs.mcafee.com/mcafee-labs/spr···s-update |
|
mysecPremium
join:2005-11-29
kudos:4 |
No, I missed that reference.
Thanks.
----
rich |
|
| reply to FF4m3
This is a good example of why I disable Windows Update on every PC I lockdown for security. Downloading updates manually.
It's another good example of why network sharing, sharing protocols, and network drivers are all deleted from lockdown configured PCs. Not turned off, DELETED.
It's also a very fine example of why you use a HIPS, and layered defensive measures. Any good HIPS would likely have found this, or at least prevented damage. Lots of products out there block off all of the screenshot hooks. Make sure to enable self protections, and turn off the ability to drop your security products from task manager, etc. I've seen trojans uninstall AVs.. LOL
It's also a good example of why I use deadman switches on PCs that need heavy security. No funny stuff while the PC is unattended, no C&C logins, etc.
Flame will be discovered to use task scheduler as well as a fallback. Hence, a good idea to remove that service on PCs.
I bet lots of stuff would prevent a PC from being too abused by Flame. Mostly common sense, but the average user out there probably would be in big trouble. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Stuxnet worm with task scheduler OK..but Flame ??? where did you get that idea ? |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Name Game
said by Name Game:Rebuttal: Got One Part Right; You Fail
Sat Jun 2 12:48:42 CDT 2012
jericho
This is a rebuttal to Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet (June 1, 2012) by Mikko Hypponen. There are several updates to this article at the end, based on replies from a variety of people including Mikko.
»attrition.org/security/rebuttal/···_av.html
And now we have a correcting a rebuttal 
»anti-virus-rants.blogspot.ca/201···tal.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | I don't get it. None of this is surprising. Where is all the ignorance coming from? Doesn't anyone know anything about AV and AV vendors? Geeez. 
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Don't understand your meaning with that post..but glad you said it. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to mysec
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
said by Name Game:Don't understand your meaning with that post..but glad you said it.
LOL 
I just meant that Jericho appears to have little understanding of AV and AV vendors and how things work. The "correcting the rebuttal" was better/more informed. Even then, why all this shock and disbelief? It just shows that very few folks understand how the AV vendors work or understand much about certs or Microsoft's certificate store, etc.
I thought Mikko Hypponen's comments made sense and none of what he said surprised me. This was waiting to happen and I don't understand the current uproar...why are folks so surprised?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Ok...certainly agree..thanks for thinking outloud.  |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Mele20
This article gives a good non-biased overview of what the owners of the worms accomplished.
Flame, Stuxnet fanning the flames of cyber world war
»blastmagazine.com/the-magazine/t···rld-war/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to FF4m3
Attack Surfaces are so much larger and multi-dimensional then most people can even imagine and the various groups playing the game have some very, very, very imaginative people involved.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to FF4m3
|
|
 statestress magnetPremium,Mod
join:2002-02-08
Purgatory
kudos:6
Webhosting
Android
Sonic.net
Washington & Balti..
UK Chat
1 edit | Looks like the FBI has launched an investigation:
»www.cnn.com/2012/06/06/politics/···pt=hp_c1
Sen. Saxby Chambliss, ranking Republican on the Senate Intelligence Committee, said he was informed that an FBI inquiry was under way.
The senator from Georgia and other leaders of the House and Senate Intelligence Committees issued a joint statement Tuesday deploring the apparent leaks.
"In recent weeks, we have become increasingly concerned at the continued leaks regarding sensitive intelligence programs and activities, including specific details of sources and methods," said Chambliss; Chairwoman Dianne Feinstein, D-California; Chairman Mike Rogers, R-Michigan; and Ranking Member C.A. "Dutch" Ruppersberger, D-Maryland, in the statement.
"These disclosures have seriously interfered with ongoing intelligence programs and have put at jeopardy our intelligence capability to act in the future. Each disclosure puts American lives at risk, makes it more difficult to recruit assets, strains the trust of our partners and threatens imminent and irreparable damage to our national security in the face of urgent and rapidly adapting threats worldwide."
|
|
