Flame virus used world-class cryptographic attack

aog70999

The recently discovered computer worm Flame could have been created only by “world-class” cryptographers, say experts in the field who have discovered that the malware uses a previously unseen cryptographic attack.

Flame installs itself on a target computer by hijacking the Windows Update system. Normal updates are signed with a digital certificatethat verifies their origin, but Flame’s creators were able to fake their own certificate.

Such certificates are signed by a hash algorithmthat converts any digital data into a short sequence of characters. It isn’t possible to recover the original data from this sequence, but it can be used to verify it, allowing the hash sequence to act as a virtual “signature”. Crucially, it should be very difficult to discover two pieces of data that convert to the same hash sequence – otherwise someone can perform a “collision attack”, generating a spoof hash sequence without knowing the original data.

That’s exactly what Flame’s authors have done, though it isn’t the first time the feat has been achieved. In 2008 cryptographer Mark Stevens and colleagues showed that the oft-used MD5 hash algorithm is vulnerable to collision attacks – a feat that required 200 PlayStation 3consoles to crunch through the numbers to find a match.

Now Stevens and others have analyzed Flame’s code and discovered it uses a previously unseen variant of the attack, probably developed before his research was published, allowing the attackers to calculate the exact hash sequence used by Microsoft’supdate system.

“The results have shown that not our published chosen-prefix collision attackwas used, but an entirely new and unknown variant,” says Stevens. “This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis.”

Whoever designed Flame, they are now trying to cover their tracks. Antivirus firm Symantec that computers infected with Flame have received a “suicide” update module designed to completely remove the worm. It appears that this module was created on 9 May, just a few weeks before the malware became publicly known.


Blowfish12@2012 blowfish12.tk Author: Sudharsunpr@live.in

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s