Analyzing the MD5 collision in Flame

One of the more interesting aspects of the Flame malware was the MD5 collision attack that was used to infect new machines through Windows Update. MD5 collisions are not new, but this is the first attack discovered in the wild and deserves a more in-depth look. Trail of Bits is uniquely qualified to perform this analysis, because our co-founder Alex Sotirov was one of the members in the academic collaboration that first demonstrated the practicality of this class of attacks in 2008. Our preliminary findings were presented on June 9th at the SummerCon conference in New York and are available online or as a PDF download.

Comments

  1. Great slides! Although hard to understand

  2. Presumably Microsoft should be able to look up the serial number and validity in their logs of Terminal Services LS certificates issued, to find out where the request came from.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,587 other followers

%d bloggers like this: