SCF Advanced Search

  • Total Members: 13889
  • Latest: loutlos
  • Total Posts: 40176
  • Total Topics: 14281
  • Online Today: 699
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Spreading the Flame: Skywiper Employs ‘Windows Update’  (Read 1801 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez

Spreading the Flame: Skywiper Employs ‘Windows Update’

Microsoft has issued Security Advisory 2718704, in which the company disclosed that it recently became aware of the Flamer/Skywiper threat, which uses certificates derived from the Microsoft Certificate Authority.

The actual certificate in question was used to sign at least one of the attack components associated with the module in the Skywiper framework.

This is how the digital certificate looks like on the module:

Larger Picture

The certificate was valid between February 19, 2010 to February 19, 2012, in the Pacific time zone. (Other certificates might have been issued in a similar manner.)

Clearly, the certificate has been valid for the last two years. In an earlier blog, we hinted that this attack might involve digital certificates on some of its components. It is possible that other components also used digital signatures to carry out variations of this attack.

Further investigation of the downloader component shows that it was compiled on December 27, 2010, also Pacific time.

File Header:

Machine: 014C (i386)

Number of Sections: 0004

TimeDateStamp:      4D1894AE -> Mon Dec 27 07:29:18 2010

A SigCheck from the SysInternals suite shows the following information on the attack component:

Verified:       Signed



Microsoft LSRA PA

Microsoft Enforced Licensing Registration Authority CA

Microsoft Enforced Licensing Intermediate PCA

Microsoft Root Authority

Signing date:   8:54 AM 12/28/2010

Publisher:      n/a

Description:    n/a

Product:        n/a

Version:        n/a

File version:   n/a

The certificate used to sign this file was originally issued by a Terminal Server Licensing Intermediate Certificate Authority. That means the certificate was supposed to be used only to authenticate users connecting to the Terminal Server but, due to a mistake in the CA configuration, it could be used to sign code, too.

Microsoft’s revocation of this Intermediate CA does not affect the trustworthiness of any other certificate issued by Microsoft itself. Only certificates issued to users of Terminal Server would need to have their certificates reissued by their system admins.

To pull off this attack, the worm module creates a server called MSHOME-F3BE293C on the infected machine, and intercepts Windows update requests from nearby machines if the network settings allow a Windows update “proxy” using the Web Proxy Auto-Discovery Protocol. The server supplies a signed executable within CAB packages for Windows Update on the local network. (Such redirection attack opportunities have been discussed publicly, many times.) This step facilitates the infection of the local network, with a very silent, “below the radar” distribution mechanism.

An updated map of Skywiper infections based on our current information looks like this:

Larger Picture

The targeted attacks of this threat are limited to a few individuals, organizations, and institutions, with the largest infection numbers reported from Iran.

Orginal article: Monday, June 4, 2012 at 2:42pm by Peter Szor and Guilherme Venere
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Spreading the Flame: Skywiper Employs ‘Windows Update’
« Reply #1 on: 05. June 2012., 18:19:22 »
Thanks for info pal.  :up:

Samker's Computer Forum -

Re: Spreading the Flame: Skywiper Employs ‘Windows Update’
« Reply #1 on: 05. June 2012., 18:19:22 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising