Researchers identify Stuxnet-like cyberespionage malware called 'Flame'

[OhauitiWeather]

A new, highly sophisticated malware threat that was predominantly used in cyberespionage attacks against targets in the Middle East has been identified and analyzed by researchers from several security companies and organisations.
 
According to the Iranian Computer Emergency Response Team (MAHER), the new piece of malware is called Flamer and might be responsible for recent data loss incidents in Iran. There are also reasons to believe that the malware is related to the Stuxnet and Duqu cyberespionage threats, the organization said on Monday.
 
Malware researchers from antivirus firm Kaspersky Lab have also analyzed the malware and found that while it is similar to Stuxnet and Duqu in terms of the geographic propagation and targeting, it has different features and it is, in many ways, more complex than both of those threats.
 
Flame, as the Kaspersky researchers call it, is a very large attack toolkit with many individual modules. It can perform a variety of malicious actions, most of which are related to data theft and cyberespionage.
 
Among other things, it can use a computer's microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.
 
One of the toolkit's first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.
 
Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.
 
Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that's highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn't seen any malware samples before Flame that were written in the language, Kamluk said.
 
Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.
 
The Kaspersky researchers haven't found any evidence of an unknown (0-day) vulnerability being exploited by this malware, but Flame is known to have infected a fully patched Windows 7 computer, so they don't completely exclude the possibility, Kamluk said.
 
When infecting computers that are protected by antivirus programs, Flame avoids performing certain actions or executing malicious code that might trigger a proactive detection from those security applications. This is one of the reasons that the malware flew under the radar for so long, Kamluk said.
 
By checking the data from its worldwide network of malware sensors, Kaspersky Lab has managed to identify current and past Flame infections in the Middle East and Africa, predominantly in countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
 
However, antivirus vendor Symantec also identified past infections in Hungary, Austria, Russia, Hong Kong and the United Arab Emirates. The company doesn't dismiss the possibility that these infection reports originated from laptops that were temporarily taken abroad by travellers.
 
It's hard to tell what type of information the Flame authors are after, giving the wide variety of data that the malware can steal and send back to the command and control servers. A decision regarding which of the malware's modules and functionality to use is probably taken by the attackers for each particular target on a case-by-case basis, Kamluk said.
 
The targeted organizations don't seem to follow an industry-specific pattern, either. The malware has infected computers belonging to government agencies, educational institutions and commercial companies as well as computers owned by private individuals.
 
As with Duqu and Stuxnet, it's not clear who created Flame. However the malware's complexity and the amount of resources required to build something like it has led security researchers to believe that it was created or sponsored by a nation state.
 
Kaspersky's researchers didn't find any evidence that could tie the malware to a specific country or even region. However, there is some text written in English inside the code, Kamluk said.
 
"Examination of the code also leads Symantec to believe the malware was developed by a natively English speaking set of developers," a Symantec spokesman said via email. "No further observations have been made which could assist in locating the origin of the malware."
 
Researchers from the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics, which played an important role in the discovery and analysis of Duqu, have also released a report on the Flame malware, which they call "sKyWIper."
 
"The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," the CrySyS researchers said in their report. "sKyWIper is certainly the most sophisticated malware we encountered during our practice;
arguably, it is the most complex malware ever found."


Published by ComputerWorld, written By Lucian Constantin | Iasi, Romania | Tuesday, 29 May, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/researchers-identify-stuxnet-like-cyberespionage-malware-called-flame?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

• Tweet

[OhauitiWeather]

Development timeline key to linking Stuxnet, Flame malware

Nailing down a timeline for the development of Flame, the new super-cyber spying malware recently found infecting PCs in Iran and other Middle Eastern countries, will be critical to connecting the dots between it, Stuxnet and Duqu, experts said.
 
Flame, as the espionage tool has been named, is a massive piece of malware -- 20 to 40 times larger than Stuxnet -- that infiltrates networks, scouts out the digital landscape, then uses a variety of modules to pilfer information. What researchers are trying to determine is not only how Flame works -- an effort that will take months -- but how it fits with other malware that experts believe targeted Iran, a country at odds with the West over its nuclear program. In particular, two earlier-discovered threats: Stuxnet, which most have concluded was created to sabotage Iran's uranium-enrichment facilities, and Duqu, an intelligence-gathering tool many believe was used to pinpoint targets for Stuxnet. "The most interesting thing about Flame is its possible relationship to Stuxnet," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. "The timelines [of the two] will play a big part in any analysis." Liam O Murchu, director of operations for Symantec's security response center, agreed. "The timeline is very important," said O Murchu. Both Kaspersky and Symantec are busy digging into Flame, and the two companies were instrumental in deciphering Stuxnet two years ago. They're perfectly positioned to draw conclusions about the two pieces of malware, and any connections between the pair. Although Stuxnet was first discovered by researchers in mid-2010, Symantec traced its first attack to June 2009, with follow-up campaigns launched in March and April 2010. Duqu, meanwhile, may have been created as early as 2007 or 2008, even though evidence of attacks by the malware can be tracked only as far back as August 2011. So where does Flame fit in? "We looked at our telemetry, and we see evidence of Flame in 2010," said O Murchu. "But it's very possible it goes back further than that." Kaspersky could trace Flame back about that far, too. "We've confirmed it in 2010, but there's some circumstantial evidence that goes back to 2007," said Schouwenberg. What Schouwenberg called "circumstantial" was first raised by CrySyS Lab at the Budapest [Romania] University of Technology and Economics, in a first-impressions analysis of Flame published Monday ( download PDF). CrySyS cited a 2007 appearance of Flame's main component as possible proof of an early development date. "[Flame] may have been active for as long as five to eight years, or even more," CrySyS asserted. Those earlier dates have not been confirmed by either Kaspersky or Symantec, however, in part because Flame spoofs its file creation and code compilation time and date stamps.
Chronology is important because of the Windows vulnerabilities that both Stuxnet and Flame exploited. Stuxnet was remarkable in part because it used exploits of multiple "zero-day" bugs in Windows -- ones which had not been patched by the time the malware was discovered -- and Flame leveraged some of the same bugs, including ones in Windows shortcuts and the print spooler, which Microsoft patched in August and September 2010, respectively. If Flame's origin can be traced to before Stuxnet's discovery, the use of the zero-day vulnerabilities would link the two pieces of malware. It's very unlikely that two groups would have found, then used so many identical Windows bugs. One thing's not in contention. Kaspersky and Symantec each are convinced that Stuxnet and Flame were built by different teams. There's little to no similarity between the two pieces of malware. "Stuxnet and Duqu were created on the same [development] platform, but they have nothing in common with Flame," said Schouwenberg. "There's absolutely nothing in common. Stuxnet/Duqu and Flame use completely different development philosophies." But the then-unpatched bugs may connect the dots. In fact, Schouwenberg is sure that they do. "The exploits being used by Flame, and that it's spread through USB devices, those are identical to what we found in Stuxnet," he said. "So we definitely think that Stuxnet and Flame were parallel operations. Whoever was behind this contracted two different teams or companies, which then came up with different solutions." In that scenario, the two teams -- one to create Stuxnet, another to build Flame -- were hired by the same person, people, group or government around the same time, with each team provided the same zero-day vulnerabilities. Most security experts at least suspect -- if they haven't already jumped to the conclusion -- that Flame was backed by a government. "It's difficult to say for certain because you never know who is behind these things, but all the indicators are that [Flame] was state-sponsored," said O Murchu, who cited the complexity of the malware, its size and multiple modules, and the apparent interest in Iran as reasons for his assumption. Schouwenberg didn't disagree. "The complexity of the malware, the size of the malware, the size of the operation, it would take very, very serious funding to pull this off," said Schouwenberg. "Flame [stole] a huge amount of data, and it couldn't be gone through with a few guys. It had to be a huge operation and involve a lot of people."

Traditional hacker groups are much leaner, and can't afford the manpower to create malware that results in massive amounts of information that must be organised, analysed and acted upon. "The manpower needed to do this would add to the entire operation's cost," Schouwenberg added. But if the timelines are such that it looks like Flame was created after the bugs exploited by Stuxnet went public, well, then all bets are off: The Flame team could have simply used what had been disclosed to make their own exploits of the vulnerabilities, standing on the shoulders of Stuxnet.

"We're going to have to spend a lot of time analysing Flame before we know for certain," said O Murchu. Kaspersky and Symantec have pledged to publish more information about Flame as they find it.


Published by Computerworld, written by By Gregg Keizer | Framingham | Thursday, 31 May, 2012
Link to article:  http://computerworld.co.nz/news.nsf/security/development-timeline-key-to-linking-stuxnet-flame-malware?opendocument&utm_source=security&utm_medium=email&utm_campaign=security

[OhauitiWeather]

Researchers reveal how Flame fakes Windows Update

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft's Windows Update mechanism.
 
Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?
 
Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company's Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates "signed" by Microsoft.
 
Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.
 
"Hijacking Windows Update is not trivial because updates must be signed by Microsoft," noted Symantec on Monday in one of a series of blog posts its researchers have written about Flame.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame's development and attacks.
 
Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure's chief research officer and the first to announce that Flame was abusing Windows Update, called the feat "the Holy Grail of malware writers" and "the nightmare scenario" for antivirus researchers.
 
But as both Symantec and Kaspersky pointed out, Flame doesn't actually compromise Windows Update. It doesn't somehow infiltrate Microsoft's service -- and servers -- to force-feed malicious files to unsuspecting users.
 
Instead, a Flame-infected Windows PC can, in some situations, make other machines on a network believe it's Windows Update.
 
A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE). Flame claims to be the WPAD (Web Proxy Auto-Discovery Protocol) server -- a system that provides proxy settings to copies of IE on the network -- and sends a malicious WPAD configuration file to the requesting PC.
 
As Symantec noted, WPAD hijacking is not new and is, in fact, part of many hacker toolkits.
 
The rogue WPAD configuration file modifies the victimized machine's proxy settings so that all Web traffic is routed through the Flame-infected system. On that PC, Flame's Web server, dubbed "Munch" kicks in, detects when the requested URL matches Windows Update's and in return sends a downloader disguised as a legitimate update from Microsoft.
 
To complete the ruse, the downloader was one of several compressed files -- crunched into the "cabinet," or ".cab" file format -- bundled into the single Windows Update.
 
Once the downloader was installed it retrieved a copy of Flame from the already-infected PC and uses it to compromise the computer.
 
This complex spreading technique only added to researchers' grudging respect for the threat.
 
"As we continue our investigation ... more and more details appear [that show] this is one of the most interesting and complex malicious programs we have ever seen," said Alexander Gostev, who leads Kaspersky's research and analysis team, in a Monday blog entry.

Microsoft has revoked three certificates generated by the attackers, making further spoofing of Windows Update files impossible on patched PCs unless there are more rogue certificates in the wild. The company has also blocked others from cranking out new code-signing certificates.


Published by Computerworld, written By Gregg Keizer | Framingham | Tuesday, 5 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/security/researchers-reveal-how-flame-fakes-windows-update?opendocument&utm_source=security&utm_medium=email&utm_campaign=security

[OhauitiWeather]

Flame malware's structure 'among most complex ever seen'

Kaspersky Lab Monday shared more details about the sophisticated cyber-espionage Flame malware widely believed to be the work of a nation-state, though the security firm isn't venturing yet to say what country that might be.
 
Kaspersky Lab is working with OpenDNS to investigate Flame malware tied most closely to cyber-espionage against Iran and Lebanon, and today both companies described what has been found in a week of investigation of Flame command and control (C&C) servers around the world. These servers are being "sinkholed" slowly to cut off ties between the C&C server and Windows-based computers infected with Flame malware, which spies on computer use and can upload content back to Flame's C&C operators.

The Flame cyber-espionage botnet has one of the most elaborate and carefully constructed C&C structures ever identified, according to Roel Schouwenberg, senior research at Kaspersky Lab, who joined with Dan Hubbard, CTO at OpenDNS, to discuss the latest discoveries made since a week ago, when Kaspersky's announcement about the malware apparently caused Flame's C&C operators to suddenly drop offline.
 
However, Flame appears to be updating itself to possibly reconstitute its capabilities, Schouwenberg warns.
 
"Flame's goal is cyber-espionage," says Schouwenberg, noting it's "hiding in plain sight," and "there may be a cyber-sabotage component to it."
 
Flame can send up stolen information in 80 kilobyte chunks, and Flame's operators want to steal PDF files, Office documents and AutoCad files, such as mechanical and building designs. He notes, "Whitelisting technologies would have definitely blocked Flame." Whitelisting prevents unauthorised applications from running on computers. Flame is Windows-based and there doesn't seem to be a Linux component for Flame, Schouwenberg says.
 
"The Flame command control is unlike anything we've ever seen before," Schouwenberg says. Flame has had more than 80 domains registered for servers that have been identified in far-flung places, from India to Belgium to the Netherlands to Switzerland. The Flame C&C servers do not appear to be based on hacked servers, and domain registrations use fake names that appear to be registered carefully by hand to hotels, shops and doctors' offices, for example, with most of the phony domain registrations registered under fake names for Germany and Austria, but there's no known reason why. These domains and locations associated with Flame registrations are not historically connected with "bad actors and bad neighborhoods," Hubbard points out.
 
The researchers acknowledge there is still a lot they don't know about Flame because they think they still need to find additional Flame modules to get a bigger picture of what's going on. There's also evidence Flame is updating itself to find alternate C&C paths and has a sophisticated backup operation. So far, there are 196 known victims of Flame in Iran, 54 in Palestine, 48 in Israel, 33 in Sudan, 31 in Syria, and others elsewhere, including 10 in the U.S. The numbers haven't changed a lot from a week ago, Kaspersky says. About 45 of the victims in Iran have had Flame sinkholed to protect against it, as well as 21 in Lebanon and eight in the U.S., among a few others.
 
Another technical aspect about Flame coming into view is that Microsoft yesterday announced a flaw in its certificate-registration process that appears to have been exploited for purposes of Flame. Kaspersky Lab says it's still seeking to find out more about this and declined to comment on it.
 
Microsoft on Sunday issued security advisory 2718704 and a related post by engineering staffer Jonathan Ness to notify Microsoft customers that "unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft root authority."

This all appears to have a bearing on the Flame malware, Microsoft says.
 
Microsoft says it has revoked three of these certificates associated with the Flame malware by putting them into the "Windows Untrusted Certificate Stores," and "we have also discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process."
 
Sometimes use of digital certificates has been by those designing malware to better hide from antivirus software.
 
Microsoft says it found a flaw in its Terminal Services licensing certification authority process that "when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft's internal PKI infrastructure."
 
Microsoft says most antivirus software today will recognize, block and eradicate the Flame malware, but Microsoft is taking the steps it did yesterday to revoke the Terminal Services digital issuance because it's concerned some of the techniques used by Flame could also be "leveraged by less sophisticated attackers to launch more widespread attacks."
 
In a column for Wired on June 1, Mikko Hypponen, chief research officer for F-Secure, says his company failed to identify Flame as malware even though the software ended up in an F-Secure code archive back in 2010 and 2011. F-Secure's system hadn't flagged it as something dangerous. This may be because Flame was artful in making itself look like a business database system. Hypponen says Flame represented a "failure of the anti-virus industry," adding, "We were out of our league, in our own game."


Published by Computerworld, written By Ellen Messmer | Framingham | Tuesday, 5 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/security/flame-malwares-structure-among-most-complex-ever-seen-says-kaspersky-lab?opendocument&utm_source=security&utm_medium=email&utm_campaign=security

[OhauitiWeather]

Flame authors order infected computers to remove all traces of the malware

The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said on Wednesday.
 
Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control, Symantec's security response team said in a blog post.
 
The module is called browse32.ocx and its most recent version was created on May 9, 2012. "It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module," the Symantec researchers said.
 
However, even though it is similar in functionality to the SUICIDE feature -- both being able to delete a large number of files associated with the malware -- the new module goes a step further.
 
"It locates every [Flame] file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection," the Symantec researchers said. "This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind."
 
Deleting a file in Windows does not remove its actual data from the physical hard disk. It only flags the hard disk sectors occupied by that file as available for the operating system to rewrite.
 
However, since there is no way to predict when the operating system will actually overwrite those sectors, the deleted file, or portions of it, can be recovered with special data recovery tools -- at least for a limited period of time.
 
According to Aleks Gostev, chief security expert with Kaspersky Lab's global research & analysis team, the overwriting of file data with meaningless characters happens before the Flame files get deleted by browse32.ocx, not after as Symantec suggested. However, the goal is the same -- eliminating all traces of the malware and making forensic analysis harder, he said via email.
 
Last week, Kaspersky's researchers said that they discovered Flame while investigating a series of data loss incidents in Iran that could have been caused by a piece of malware. However, no evidence that links Flame to those attacks has been found yet.
 
Kaspersky's researchers didn't exclude the possibility that a yet-to-be-identified Flame component was responsible for the data destruction in Iran, but if such a component exists, it's probably not browse32.ocx.
 
"Browse32 does not overwrite the hard disk the way Wiper [the mystery malware] did it," Gostev said. "It wipes only files related to Flame."


Published by Computerworld, written By Lucian Constantin | Iasi, Romania | Friday, 8 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/flame-authors-order-infected-computers-to-remove-all-traces-of-the-malware?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

[OhauitiWeather]

Security researchers discover link between Stuxnet and Flame

Security researchers from antivirus vendor Kaspersky Labs have found evidence that the development teams behind the Flame and Stuxnet cyberespionage threats collaborated with each other.
 
The Kaspersky researchers determined that Flame, which is believed to have been created in 2008, and a 2009-version of Stuxnet shared one component that served the same purpose and had similar source code.
 
Back in October 2010, Kaspersky's researchers analyzed a sample that had been automatically classified as a Stuxnet variant by the company's automated systems. At the time, the researchers dismissed the detection as an error because the sample's code looked nothing like the code in Stuxnet.
 
However, after Flame was discovered at the end of May, the Kaspersky researchers searched their database for malware samples that might be related to the new threat and found that the sample detected as Stuxnet in 2010 was actually a Flame module. The module uses an autorun.inf trick to infect computers via USB drives.
 
Upon further research, the Kaspersky analysts determined that Stuxnet.A, which was created in early 2009, uses the same autorun.inf trick to spread via USB drives. In fact, the source code responsible for this is almost identical to the one in the Flame module.
 
"It looks like the Flame platform was used to kick start the Stuxnet platform," said Roel Schouwenberg, a senior researcher with Kaspersky Lab's global research and analysis team, during a conference call with the press.
 
The Kaspersky researchers already knew that Stuxnet and Flame leveraged at least one of the same Windows vulnerabilities, but this wasn't conclusive proof that their developers collaborated. The exploit could have been created by a third-party that sold it to both teams, Schouwenberg said.
 
However, the new discovery suggests that the developers of the two malware threats actually shared source code, which is intellectual property and wouldn't normally be shared between unrelated teams. "We are now 100-percent sure that the Flame and Stuxnet groups worked together," Schouwenberg said.
 
The Kaspersky researchers discovered that the Flame module integrated into Stuxnet.A exploited a Windows elevation of privilege (EoP) vulnerability that wasn't known at the time of the malware's creation. This would be the fifth zero-day (previously unknown) vulnerability exploited by Stuxnet, Schouwenberg said.
 
The researchers believe that this vulnerability was one that Microsoft patched in June 2009, a few months after the creation of Stuxnet.A, but they are not yet certain and are still investigating.
 
Later Stuxnet versions stopped using the Flame module entirely and began exploiting a separate vulnerability that relied on malformed LNK (shortcut) files to propagate via USB drives.
 
Interestingly, the exploit code from Stuxnet.A's Flame-borrowed module is very similar to the exploit code for a different EoP vulnerability that's present in later Stuxnet versions. The researchers believe that both sections of code were written by the same programmer.
 
The theory put forward by the Kaspersky researchers is that Flame and Stuxnet were created by two separate teams as part of two operations funded by the same nation state. Flame was probably used for espionage and Stuxnet used for sabotage, Schouwenberg said.
 
According to a recent New York Times report that quotes anonymous sources from the Obama administration, Stuxnet was created by the US and Israeli governments as part of a secret operation called Olympic Games with the goal of crippling Iran's ability to produce weapon-grade nuclear fuel.


Published by Computerworld, written By Lucian Constantin | Iasi, Romania | Tuesday, 12 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/security-researchers-discover-link-between-stuxnet-and-flame?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

[OhauitiWeather]

Microsoft readies post-Flame Windows Update changes

Microsoft will start feeding users an update to the critical Windows Update service in the next few days, several security experts said today.
 
Windows Update (WU) provides security patches and other fixes to Windows PCs. The service is accessed directly by consumers, and through the Windows Server Update Services (WSUS) component by enterprises.
 
The update was triggered by the discovery that Flame, a sophisticated, nation state-grade cyber espionage tool, had subverted WU to infect additional PCs within an already-penetrated network. The team behind Flame, which shared code with the makers of the even-better-known Stuxnet worm that sabotaged Iran's nuclear program, pulled off that first-of-its-kind hack by stealing digital certificates from Microsoft.
 A week ago, Microsoft announced it would issue an update to WU to prevent copy-cats from duplicating Flame's feat. At the time, it said it would begin serving that update before the end of the week.
 Microsoft did, in fact, push the update to some users last week, although it limited the scope of that audience, said researchers.
 
"It's done and tested, and as we understand it, has been offered to some users," said Wolfgang Kandek, chief technology officer at Qualys, in an interview.
 
Jason Miller, manager of research and development at VMware, said that he had heard from users who had received the new Windows Update client, and like Kandek, said Microsoft would unthrottle the update -- in other words, begin pushing it to all, or at least more, users -- "in a few days."
 
Microsoft also heeded calls to wait until after yesterday's Patch Tuesday to refresh WU by pausing the update, limited though it was, until users' PCs began downloading fixes for the 26 flaws the company delivered this month.
 
Several researchers, including Kandek and Andrew Storms, director of security operations at nCircle Security, said they had emailed contacts at Microsoft urging the company to wait.
 
"They released the WSUS update Friday, and started the WU update, but not everyone got it," said Kandek. "Then they put a pause on WU."
 
Last week, Storms had hoped Microsoft would do the smart thing, and delay the WU update until after Patch Tuesday, noting that to do different might delay some businesses deployment of the fixes.
 "They'll want to test the Windows Update update," said Storms last Thursday. "Because if that breaks, everything breaks with it."
 
The WU update will force the service to acknowledge only certificates issued from a new certificate authority (CA) the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.
 
Flame's makers exploited a flaw in Microsoft's Terminal Services licensing CA to generate the fake Microsoft digital signatures. They launched a super-advanced cryptographic "collision attack," where two different values produce the same cryptographic "hash, to gain the bogus certificates.
 
Some researchers have argued that the collision attack shows that the Flame team included world-class cryptographers, and would have required considerable computing horsepower to pull off.
 "The new WU will be more critical about the certificates that it uses to sign downloads, and be more picky about how it communicates with Microsoft," said Kandek. "It will make the download process more robust."
 
By the time next month's Patch Tuesday rolls around on July 10, all users will have had multiple opportunities to grab the WU update, Kandek added. Microsoft will probably make the switch to the new certificates at that time.
 
Because updates to WU don't rely on users having set the service to automatically receive and install all fixes, everyone who runs WU will receive the update. Windows Update updates are installed whenever the service is engaged, whether automatically, manually or the in-between mode that only notifies users of impending updates.
 
Only PC owners who have disabled the service and never use it -- experts suspect that users running counterfeit copies of Windows avoid it because they fear being found out by Microsoft's sniffing for legitimate licenses when it deploys a new WU client -- will not be migrated to the new, more restrictive certificate model.


Published by Computerworld, written By Gregg Keizer | Framingham | Thursday, 14 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/microsoft-readies-post-flame-windows-update-changes?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

[OhauitiWeather]

The highly sophisticated Flame malware was jointly developed by the U.S. and Israeli governments in preparation for a cybersabotage campaign to disrupt Iran's nuclear fuel enrichment efforts, according to a media report.
 
Citing unnamed Western officials with knowledge of the operation, the Washington Post reported on Tuesday that Flame's goal was to collect intelligence about Iran's computer networks that would facilitate future cyberattacks.
 
On June 1, The New York Times reported that Stuxnet, a sophisticated piece of malware that is believed to have caused the destruction of up to 1000 gas centrifuges at Iran's Natanz uranium enrichment facility, was created by the U.S. and Israel governments as part of a joint operation code-named Olympic Games.
 
The New York Times cited unnamed official sources who said that prior to deploying Stuxnet, cyberespionage software programmes known as beacons were secretly inserted into computers made by German hardware manufacturer Siemens and an Iranian company.
 
The purpose of these beacons was to collect information about how computer from the Natanz facility interoperated with the uranium enrichment centrifuges, and send this data back for analysis.
 
On June 11, security researchers from Kaspersky Lab, one of the security companies that discovered and analysed the Flame malware, announced that they found a link between Flame and Stuxnet in the form of shared computer code.
 
Based on this evidence of collaboration, they theorized that the two threats were created by two development teams funded by the same group of attackers. Flame was probably used for espionage and Stuxnet for sabotage, Roel Schouwenberg, a senior researcher with Kaspersky Lab's global research and analysis team, said at the time.
 
Flame was discovered back in May, following an investigation into a series of mysterious data loss incidents at Iran's Oil Ministry. Those attacks were carried out in April by the Israeli part of the operation without knowledge from the US side, the Washington Post's sources said.
 
Security researchers from Kaspersky Lab believe that Flame was created in the first half of 2008. Stuxnet was discovered in June 2010, but the first variant of the malware is believed to date from June 2009.
 
In September 2011, a separate piece of cyberespionage malware called Duqu was discovered. Duqu's architecture and code are very similar to Stuxnet, leading security researchers to believe that the two threats were created on the same development platform.


published by Computerworld, written By Lucian Constantin | Iasi, Romania | Thursday, 21 June, 2012
http://computerworld.co.nz/news.nsf/news/report-flame-part-of-us-israeli-cyberattack-campaign-against-iran?opendocument&utm_source=security&utm_medium=email&utm_campaign=security