With Flame MD5 collision have come true

It is a mathematic breakthroughs introduce by the state supported malware named Flame

“We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,” Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. “The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications.”

Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Wegwer, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.

Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

According to Stevens and de Weger, the collision attack was unlike any that cryptographers have seen before. They arrived at that conclusion after using a custom-designed forensic tool to analyze Flame components.

“More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant,” Stevens wrote in a statement distributed on Thursday. “This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame.”

The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens’ and de Weger’s conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field.

Microsoft Certificate used in "Flame"

Following our recent article on Flame, it appears that “Flame” components were sign using Microsoft Certificate.

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a “unauthorized digital certificates derived from a Microsoft Certificate Authority” was used to sign components of the “Flame” malware.

The update revokes a total of 3 intermediate certificate authorities:


  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn’t state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a “real” Microsoft certificate is surely going to increase the speculations as to the origin of Flame.

[1] http://technet.microsoft.com/en-us/security/advisory/2718704
[2] http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx


‘Flame’ is a continuation of the cyberwar history

Are we  at (Cyber) War ?

Over the last few years there has been growing event and talk about how the world seems to be plunging into cyber war as governments, hacking groups, terror groups, and hacktivists all seem to be increasing their attacks on networks, users, and data.

This is my short answer, only reflecting  my own opinion aka “the bad news”

Like it or not, but we probably are at war and worst …. this is your war.  whatever your are unwilling, you are a participant and you have an obligation to protect your computer and your data in any way you can, in order to not only avoid risks to yourself, but to reduce the chance of being used to relay attack  against others.


Stuxnet and Duqu were bright examples of cyber weapons which could even physically destroy infrastructure, and Flame is a continuation of this history … cyber war has been ongoing for years already. People are just not aware of it because cyber war is hidden.


Cyber war is evolving rapidly, and ‘Flame‘ vividly confirms this trend,Flame is a universal attacking tool kit used mostly for cyber espionage

  • It can record audio if a microphone is attached to the infected system
  • It can scan for locally visible Bluetooth devices(meaning phone for instance) if there is a Bluetooth adapter attached to the local system
  • It can do screen captures and transmit visual data
  • It can steal information from the input boxes when they are hidden behind asterisks, password fields