Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should You Really Do to Protect Against It
2 likes695 views
The document discusses the workings and spread of the Flame malware, detailing its sophisticated command and control infrastructure, capabilities, and unique method of infection through Windows updates using forged certificates. It highlights lessons learned from the incident, emphasizing the flaws in Microsoft's use of MD5 hashes and the need for comprehensive endpoint security measures. Additionally, it introduces Lumension's endpoint management and security solutions designed to prevent such sophisticated attacks and enhance overall security posture.
Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should You Really Do to Protect Against It
- 1. © 2011 Monterey Technology Group Inc.
- 2. Brought to you by www.lumension.com Speaker Chris Merritt - Director of Solution Marketing
- 3. Preview of Key Points How it worked Lessons learned © 2012 Monterey Technology Group Inc.
- 4. How Flame Worked 24 Command & Control Servers 84 Domain Names traffic-spot.bz trafffic-spot.com quick-net.info smart-access.net chchengingine.com chchengine.net flasp.webhop.net Internal Network © 2012 Monterey Technology Group Inc.
- 5. How Flame Worked Internal Network © 2012 Monterey Technology Group Inc.
- 6. How Flame Worked Flame’s 20MB of Capabilities • Bluetooth • Audio • USB • Backdoor accounts • Proxy server • Windows Update • Extendable modular architecture • File system search • Text summaries of interesting files • Logging • Trickle uploader • Anti-Malware aware Internal Network • Compression • SSL fallback to SSH © 2012 Monterey Technology Group Inc.
- 7. How Flame Worked Internal Network © 2012 Monterey Technology Group Inc.
- 8. How Flame Spread via WU 1. Flame activates on first computer (X) 2. Another computer (Y) wants to check for Windows Updates 3. Y defaults to automatic proxy server and broadcasts an NBNS request for WPAD (Web Proxy Auto-Discovery) 4. X answers back and spoofs itself as a proxy server 5. Y attempts to connect through X to Microsoft’s Windows update site and retrieve updates 6. X pretends to be Windows Update and sends back a bogus patch which contains Flame 7. But why does Y’s Windows Update validation logic trust the bogus patch? © 2012 Monterey Technology Group Inc.
- 9. How Flame Spread via WU 8. Flame signs the patch with a certificate that appears to be from Microsoft 9. The certificate was created from a Terminal Services Licensing Service CAL certificate 10. Then used to sign the patch 11. Why was it possible to do this? © 2012 Monterey Technology Group Inc.
- 10. The Incredible Part All possible because the bad guys pulled off a highly advanced cryptography trick Chosen prefix attack on the MD5 hash of certificate signature Real Fake TS Licensing Windows Update Certificate Certificate Signature from MS Certificate Authority © 2012 Monterey Technology Group Inc.
- 11. What Microsoft Did Wrong TS Licensing certs included code signing in the intended uses TS Licensing certs were ultimately signed by Microsoft’s Root CA Windows Update was looking for cert’s signed by Microsoft TS Licensing certs used MD5 This allowed the attackers to create a bogus certificate and forge signatures on bogus patches © 2012 Monterey Technology Group Inc.
- 12. Lessons learned MD5 was broken a long, long time ago Stop using technologies theoretically broken (intersection w/o stoplight syndrome) PKI is tricky Who do you trust and for what purposes? Good security still rules © 2012 Monterey Technology Group Inc.
- 13. Lessons learned Good security still rules Website categorization Egress traffic analysis Anti-malware Whitelisting Reduce attack surface • Turn off unneeded features like WPAD • Turn off bluetooth Device control Internally controlled patch management Security log monitoring • New account reconciliation • New authentication packages © 2012 Monterey Technology Group Inc.
- 14. Bottom Line Endpoint security technologies really work Whitelisting Antimalware Device control Removable media Configuration management Internally controlled patch management © 2012 Monterey Technology Group Inc.
- 15. Brought to you by www.lumension.com Speaker Chris Merritt - Director of Solution Marketing
- 16. Defense-in-Depth Tools You Need to Disrupt Sophisticated Attacks like Flame Chris Merritt Director of Solution Marketing Lumension
- 17. Integrated Defense-in-Depth Unify workflows and technologies to deliver enhanced endpoint operations and security management capabilities Endpoint Operations Intelligent Whitelisting Endpoint Security Patch Application Control Device Control Management Asset Configuration Trusted Anti-Virus / Change Disk Encryption Management Management Spyware Software Power Windows Firewall Management Management Management Reporting » Delivers Comprehensive Security Solution » Provides Proactive Target Hardening » Reduces Overall IT Cost and Burden 17 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 18. Lumension® Patch and Remediation Comprehensive and Secure Patch Management Endpoint Operations » Provides rapid, accurate and secure patch and configuration management for applications and Endpoint Operations Lumension® Patch and Remediation operating systems: Lumension® Content Wizard • Comprehensive support for multiple OS types Lumension® Configuration Mgmt. (Windows, *nix, Apple), native applications, and 3rd party applications Lumension® Power Management • Streamline and centralize management of heterogeneous environments • Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation 18 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 19. Lumension® Content Wizard Cost-Effectively Streamline Endpoint Management Endpoint Operations » Simple, wizard-based policy creation and baseline enforcement – without add’l tools: Endpoint Operations Lumension® Patch and Remediation • Patch Creation Lumension® Content Wizard • Software Installs and Uninstalls Lumension® Configuration Mgmt. • Windows Security Policies • Power Management Policies Lumension® Power Management • NEW! Windows Firewall Policies 19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 20. Lumension® Security Configuration Mgmt. Prevent Configuration Drift and Ensure Policy Compliance Endpoint Operations » Ensure that endpoint operating systems and applications are securely configured and in Endpoint Operations Lumension® Patch and Remediation compliance with industry best practices and Lumension® Content Wizard regulatory standards: Lumension® Configuration Mgmt. • Security Configuration Management • Out-of-the-box Checklist Templates Lumension® Power Management • NIST Validated Solution • Continuous Policy Assessment and Enforcement • Based on Open Standards for Easy Customization • Security Configuration and Posture Reporting 20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 21. Lumension® Power Management Optimize Power Savings while Maintaining Security Endpoint Operations » Enhanced Wake-on-LAN relay architecture ensures systems are available for maintenance Endpoint Operations Lumension® Patch and Remediation despite being powered down Lumension® Content Wizard » Monetizes Power Management Policies: Lumension® Configuration Mgmt. • Integrated Power Savings Reports Lumension® Power Management • Power Monitoring and Savings Calculator • Uptime Reports • Dashboard – Uptime or Savings Trends 21 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 22. Lumension® AntiVirus Multilayered Protection Against Malware » Based on proven technology from industry Endpoint Security leader providing complete protection against Lumension® AntiVirus known and unknown malware including viruses, Endpoint Security worms, Trojans, spyware, adware and more Lumension® Application Control » Includes a breadth of analysis techniques from Lumension® Device Control traditional signature matching to behavioral Lumension® Disk Encryption analysis to effectively protect against zero-day and evolving threats: • Antivirus (AV) protection (full signature matching) • DNA Matching (partial signature matching) • SandBox (behavioral analysis in an emulated environment) • Exploit Detection (find hidden/embedded malware) » VB100 certified by VirusBulletin 22 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 23. Lumension® Application Control Proactive Protection Against Malware and More » Effective Endpoint Security: Block known and Endpoint Security unknown malware without signatures, and Lumension® AntiVirus prevent exploitation of application / configuration Endpoint Security vulnerabilities Lumension® Application Control » Control the Unwanted: Real-time view of all Lumension® Device Control application inventory, ensuring only approved Lumension® Disk Encryption software is allowed to run, and denying / removing all unwanted applications » Control the Unknown: Enforce, log and audit all endpoint application change while controlling end-users with Local Admin rights » Flexible and Easy-To-Use: Unified solution workflow via single console with flexible trusted change management policy 23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 24. Lumension® Device Control Policy-Based Data Protection and Encryption » Protect Data from Loss or Theft: Centrally Endpoint Security enforce usage policies of all endpoint ports and Lumension® AntiVirus for all removable devices / media. Endpoint Security Lumension® Application Control » Increase Data Security: Define forced encryption policy for data flows onto removable Lumension® Device Control devices / media. Flexible exception Lumension® Disk Encryption management. » Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen. » Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations. 24 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 25. Lumension® Disk Encryption (powered by Sophos) Transparent Full Disk Encryption for PCs » Secures all data on endpoint harddrives Endpoint Security » Provides single sign-on to Windows Lumension® AntiVirus Endpoint Security » Enforces secure, user-friendly pre-boot Lumension® Application Control authentication (multi-factor, multi-user options) Lumension® Device Control » Quickly recovers forgotten passwords and data (local self-help, challenge / response, etc.) Lumension® Disk Encryption » Automated deployment, management and auditing via L.E.M.S.S. (integrated version) 25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 26. Lumension® Endpoint Management and Security Suite Total Endpoint Protection Endpoint Operations Endpoint Reporting Services Lumension® Patch and Remediation Lumension® AntiVirus Endpoint Security Lumension® Content Wizard Lumension® Application Control Lumension® Configuration Mgmt. Lumension® Device Control Lumension® Power Management Lumension® Disk Encryption Lumension® Endpoint Management Platform » Comprehensive suite that unifies IT operational and security functions » Delivers a more effective defense-in-depth endpoint security solution » Simplifies endpoint system and agent management thru single console » Centralizes policy management and reporting » Expands operational and security visibility » Reduces technology complexity and integration costs » Flexible and modularly licensed best-of-breed application modules » Scalable and agile single-agent, single-server platform architecture 26 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
- 27. Next Steps • Free Tools » http://www.lumension.com/Resources/Premium-Security-Tools.aspx » Application Scanner – see what applications are running on your network » Device Scanner – see what removable devices are being used » Vulnerability Scanner – see what your OS / application risks are • Whitepapers » Endpoint Management and Security Buyers Guide • http://www.lumension.com/Resources/WhitePapers/ Endpoint-Management-and-Security-Buyers-Guide.aspx • Free Evaluation » http://www.lumension.com/ endpoint-management-security-suite/free-trial.aspx 27
- 28. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email protected]