Flame's Windows Update hack required world-class cryptanalysis, researchers say

Flame's authors used a previously unknown MD5 collision attack variant, cryptanalysts say

The Flame cyber-espionage malware makes use of a previously unknown cryptographic attack variant that required world-class cryptanalysis to develop, experts from the Dutch national research center for mathematics and computer science (CWI) said on Thursday.

The cryptographic attack, known as an MD5 chosen prefix collision, was used by Flame's creators to generate a rogue Microsoft digital code-signing certificate that allowed them to distribute the malware to Windows computers as an update from Microsoft.

Microsoft's security engineers explained how the MD5 collision attack worked in a blog post on Wednesday. In their article, they referenced older chosen prefix collision research by cryptanalysts Marc Stevens, Arjen Lenstra, and Benne de Weger.

Stevens, Lenstra and de Weger were part of a larger international team of researchers who, in 2008, demonstrated a practical MD5 collision attack which allowed them to create a rogue SSL certificate trusted by all browsers.

Stevens, who is a scientific staff member in the cryptology group at CWI, analyzed the rogue Microsoft certificate used by Flame's authors and determined that they used a different MD5 collision attack than the one devised by him and his colleagues in 2008. "The design of this new variant required world-class cryptanalysis," Stevens said in a blog post on Thursday.

Ronald Cramer, the head of the cryptology research group at CWI and professor at the Mathematical Institute of Leiden University in the Netherlands agreed with Stevens' assessment. "This is not a job done by amateurs," he said.

Furthermore, the fact that Flame's creators used an MD5 collision attack different than the one developed by Stevens and his colleagues, suggests that the two variants might have been designed in parallel.

From a practical point of view it would have made no difference had they used Stevens' attack instead, Cramer said.

Both attacks could have generated rogue Microsoft code-signing certificates that would have tricked Windows systems. The difference between them lies in the math used, not the end result.

One reasonable explanation why Flame's creators didn't used Stevens' attack is that they developed their own variant before Stevens and his colleagues published their research in 2008, Cramer said.

This theory is also supported by other evidence, according to which Flame was developed in the second-half of 2008, and enforces the idea that Flame was created by a professional team of developers with a lot of resources.

Interestingly, the attack would have failed a long time ago if Microsoft had been more diligent. "We, at the time, notified Microsoft and all other parties affected in this context, so they could take measures," Cramer said.

In December 2008 Microsoft issued a security advisory which recommended that administrators and certificate authorities cease using MD5 as an algorithm to sign digital certificates because of collision attacks. However, the company failed to disable the use of MD5 in parts of its own operating system, which is what Flame exploited, Cramer said.

Following the discovery of the Flame attack Microsoft revoked three of its Terminal Server certificate authorities and announced other changes to the Terminal Service certificate infrastructure to prevent similar abuse in the future.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place