October 26, 2016

How Flame Hijacked Windows Update

Source: Symantec.com

(LiveHacking.Com) – It is a malware writers dream to invent a system that automatically infects a PC by pretending to be a legitimate OS update coming from the manufacturer, or more specifically to trick a PC into thinking that the software it is receiving isn’t malware but in fact an update from Microsoft. Such updates are installed by the OS without question meaning that the infection happens automatically and without question. Up until now this had been impossible.

But now, Symantec has posted details on how the Flame malware has managed to do exactly that, how it managed to launch a man-in-the-middle attack on the Windows update service. Flame has an interesting feature in that it is modular. New modules can be uploaded to any infected PC by the Flame authors. For the Windows update spoof Flame uses three modules called: SNACK, MUNCH, and GADGET.


On start-up, IE automatically sends out Web Proxy Auto-Discovery Protocol (WPAD) requests to discover if there any proxies on the network. These requests are directed to local computers with the relevant wpad domain names, but if there are no DNS records with those names then the request protocol switches over to NetBIOS. One of SNACK’s functions is to act as a sniffer and catch any WPAD requests and spoof the sending computer into thinking it is a valid proxy. The uninfected PC will now start using the infected PC as a web proxy and all web traffic will flow through the infected machine.


MUNCH is Flame’s built-in webserver. As the web traffic is redirected to the infected PC due to SNACK, MUNCH sniffs all the requested URLs and hijacks Windows Update traffic. Because Flame has some fake Microsoft code signing certificates, MUNCH is able to tell GADGET to send fake updates to the Windows machine.


GADGET sends a binary signed by a certificate that appears to belong to Microsoft to the uninfected computer as if it is a legitimate Windows Update file. The binary isn’t Flamer itself, but a loader for Flamer. Once the update is received, the uninfected computer executes it and then in due course Flame is downloaded on to the PC.