The Malware Holy Grail

Virus writers are evolving the use of encryption and other techniques to hide malicious code from detection software. They have direct access to the operating system documentation (for Windows, Mac, etc.); the same documentation used by developers. They have traditionally made sure they're malicious code evades detection by signature based antivirus detection. This fact and economics means the number of crackers and malicious attacks will continue to increase.In spite of this, researchers have been baffled as to how the Flame Malware has been devised to avoid detection for two years (not matching the available antivirus signatures) with the ability to infect fully patched Windows 7 machines… Security Researchers have identified 'Windows Update' as the mechanism Flame uses to infiltrate and compromise networks.Network InfectionCrackers exploited a flaw in the Microsoft Terminal Services licensing certificate authority, which allowed them to generate a new certificate that was "signed" by Microsoft. This particular kind of certificate (valid from February 2010 and February 2012) gave crackers a clear avenue into most computers running Windows.This sophistication in malware creation has never been seen before. Many security experts are just amazed, calling it "the Holy Grail of malware writers" and "the nightmare scenario". Antivirus Researchers (such as) Symantec and Kaspersky said that Flame didn't actually compromise anything in 'Windows Update' and it did not compromise the service or servers.Computer to Computer InfectionFlame conducted an imitative deception operation of Windows Update (a military grade attack). Using this process it was able to make all other computers on the network believe, that it's the Windows Update server. It Then collected the NetBIOS information (which identifies each computer) and used that info to send Windows Update requests through Internet Explorer. Flame makes itself a Web Proxy Auto-Discovery Protocol (WPAD), and sends configuration files to all of the requesting PC's.Configuration files sent from computer to computer through the WPAD directs the compromised machine to redirect all traffic through the infected machine. When Flame detects a URL request matching the Windows Update URL, it transmits a new downloader (disguised as an update from Microsoft) to infiltrate the machine disguised as a '.cab' file. Once the update is executed, it downloads a copy of Flame from the infected machine to the clean machine.Microsoft (upon detection) has blocked three certificates that were used by attackers, preventing additional spoofing of Windows Update (as long as there are no more rogue certificates in the wild). They have also implemented prevention procedures to stop others from creating new code signing certificates.Attack Vectors and InstructionsFlamer spreads from computer to computer, however; It doesn't do that automatically, instead it waits for the attacker to send instructions. Here are the additional methods that Flamer uses to spread:- It uses captured credentials from administrators - spreads through network shares.- It uses (CVE-2010-2729), spreading through a Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability, which was previously used by Stuxnet.- It uses removable media - spreading through a specially crafted autorun file.- It uses removable drives - spreading through a special directory that hides the files. It can execute automatically while viewing the USB drive, if combined with the (CVE-2010-2568), the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution VulnerabilityThe Last vector has not been seen before (using junction points exclusively). A junction point is actually an alias to a directory, which has some special attributes. The interesting thing is that Flamer uses junction points, and makes them hide its files and enable auto-execution.Flamer creates a directory and places three files there -' ', '' and '' the configuration file in the '' file causing this directory to work as a junction point. However, Flamer uses a special trick, to make the junction point lead to a file instead of a directory. So this directory leads to a file named ''. That means that this folder won't be accessible by the user, and the files inside will be hidden.Flamer uses (CVE-2010-2568) Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability to be executed. Then the '' file will be used and automatically parsed, and by using the "shortcut" vulnerability, it will execute the Flamer (). Additionally, Flamer might change it's names to , , , or probably any other name.In ConclusionFlamer uses new techniques to get executed and hide itself. Moreover, it exploits the old techniques too. It is incredibly large, and it will probably show us some more techniques as new versions continue to morph. BitDefender, Kaspersky, Norton and some of the other antivirus companies have released a free tool which removes the scariest cyber espionage tool ever. Please use one of the automatic removal tools listed below to eradicate this weapon.