In the spirit of Patch Tuesday, here’s a Q&A with Rob Juncker, Director of R&D for VMware Go, on one of the biggest news stories affecting IT admins this summer: the Flame virus (don’t worry, that’s a link to an SC Magazine post!).
The Flame virus is arguably the most sophisticated computer virus we’ve ever seen – and as strong a reminder as any to keep all of your patches up to date! VMware Go Pro, for one, has some of the market’s best patch management features – and you can register for a free trial today.
Without further ado, let’s check in with our own Rob Juncker on the Flame virus, and what we can expect going forward…
What is the Flame virus?
[Rob Juncker]: A person from Iran contacted an overseas anti-virus company about a strange program on his computers. The strange program was the Flame virus.
Is this virus related to Stuxnet and Duqu viruses?
[RJ]: It appears the virus is related to these two viruses in an ongoing cyber warfare program. The industry, including myself, is staying out of the political part of these viruses.
Is the virus as complex as the Stuxnet and Duqu viruses?
[RJ]: This virus was made simple. The technology in older, similar viruses was hidden very well. It took the industry quite a while to identify the virus and exactly what the virus does.
Can this virus be detected by anti-virus programs?
[RJ]: Yes, the virus was quite simple for detection purposes.
Are machines in the US and EU going to be infected by the Flame virus?
[RJ]: The odds are extremely low of the Flame virus going widespread. The Stuxnet virus went widespread due to an error in the programming of the virus. This virus should stay put in Iran and other countries.
Is it true this virus was collected by security honey pots years ago?
[RJ]: Yes. This virus has been reported to have been found previous to 2010 in some areas. Other areas are reporting this virus has been active for over 4 years.
If this virus is so old, why was it not flagged as a virus when it was collected by honeypots?
[RJ]: This virus is very peculiar which makes it an "advanced" virus. First, the virus is quite large. Some reports tag the virus as 10MB and larger. Most viruses are quite small. Second, the virus is not complex in hiding the actions it takes. Most typical viruses are extremely complex. Lastly, the virus is signed by a valid Microsoft digital signature. Typically, all programs signed by Microsoft are thrown out as any files signed by a valid signature from vendors are not viruses.
Is the Security Advisory released last month by Microsoft related to the Flame virus?
[RJ]: Yes. Microsoft researched the Flame virus and identified the digital certificate used to sign the virus was a legitimate Microsoft digital signature. The Security Advisory places the Microsoft digital certificate to the Untrusted Certificate Store. This prevents any, Microsoft or non-Microsoft, program signed by this certificate to be invalid.
Is this a public relations hit to Microsoft?
[RJ]: Yes. A valid Microsoft certificate is now in the Untrusted Certificate Store. Microsoft has gone to the side of security instead of saving face.
If the Flame virus is contained in Iran and the likelihood of a widespread outbreak is very unlikely, why did Microsoft invalidate the certificate?
[RJ]: Two reasons: Three viruses have been identified that have attacked Iran and other nations. There is no idea how many viruses still exist in the world that are related to this attack. There could be other viruses that use this vulnerability. Second, copycat virus writers will try researching the Flame virus to use the vulnerability to sign their own viruses with a Microsoft digital signature.
Will placing this certificate in the Untrusted Certificate Store potentially break some Microsoft applications?
[RJ]: Yes, but this is very unlikely. The Microsoft Terminal Server program can assign digital certificates for clients connecting to the server. Any server that has been setup with certificate connections could see issues. Microsoft has been working with customers and has supplied information on potential issues to the Microsoft SRD blog. The issues reported have been very low.
Are there any other steps Microsoft is taking to fix other issues with this breach in certificate signing?
[RJ]: Yes. Microsoft is taking steps to harden the Windows Update Agent.
What does the Windows Update Agent have to do with this saga?
[RJ]: With the ability to breach Microsoft digital signatures, there is a potential for a man-in-the-middle attacks by tricking Windows Update into thinking signed malicious files are legitimate.
Are machines vulnerable to this man-in-the-middle attack with Windows Update if I have applied the Security Advisory that invalidates the digital certificate?
[RJ]: No. Machines are safe from an attack if they apply the update.
If machines are safe after applying the Security Advisory, why is Microsoft updating Windows Update for this type of an attack?
[RJ]: This is known as defense-in-depth. Microsoft is preventing this type of an issue happening again if an attacker finds a valid way to steal digital certificates.
Is this man-in-the-middle attack a likely attack scenario?
[RJ]: This is very unlikely. An attacker will need to compromise a machine on a network and subsequently trick Windows Update agents on the network to use the infected machine.
What can I do to protect my machines against this virus and potential future viruses?
[RJ]: Apply Microsoft Security Advisory 2718704 to all of your machines. Ensure all of your machines have an up to date anti-virus program installed and working properly.