Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.
The MITM URLs were :
download.windowsupdate.com
download.microsoft.com
update.microsoft.com
www.update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.download.windowsupdate.com
v5stats.windowsupdate.microsoft.com
The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.
Microsoft has issue a security advisory (MSA-2718704) and an update (KB-2718704) how will remove the untrusted certificates.
But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL Labs – SSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.
Microsoft Update server has started using a funky SSL certificate.http://t.co/Y2IicT32 –http://t.co/7ffVhRw6 –http://t.co/dkMmS95b#flame
— @mikko (@mikko) June 17, 2012
SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:
www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):
download.windowsupdate.com
download.microsoft.com
www.download.windowsupdate.com
With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com” domain could be considered as trusted, if you use Internet Explorer.
But despite the installation of KB-2718704, the following domains are still invalid:
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
download.windowsupdate.com
download.microsoft.com
Here under some screenshots of different browsers and error messages.
[nggallery id=5]