Flame authors created bogus Microsoft certificates to infect computers

Microsoft determined that the Flame malware is exploiting a weakness in Windows to create bogus certificates that appear to be issued by the company
Microsoft determined that the Flame malware is exploiting a weakness in Windows to create bogus certificates that appear to be issued by the company

As reported by Infosecurity, the large, sophisticated, and targeted Flame malware, disclosed by the Iranian National Computer Emergency Response Team last week, was apparently developed by a nation state and has been stealing confidential information for years. 

According to Kaspersky Lab, the malware is able to steal computer display contents, information about targeted systems, stored files, contact data, and audio conversations.

After an analysis of Flame, Microsoft determined that the malware is exploiting a weakness in Windows to create bogus certificates that appear to be issued by Microsoft.

“We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft”, Mike Reavey, senior director of Microsoft Security Response Center, wrote in a blog.

In response to this analysis, Microsoft has outlined steps customers can take to block the software signed by the bogus certificates and has released a security update that automatically implements these steps for Microsoft customers. In addition, the company’s Terminal Service Licensing Service has stopped issuing certificates that allow code to be signed.

“These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft. We continue to investigate this issue and will take any appropriate actions to help protect customers”, Reavey explained.

Commenting on the Microsoft announcement, Andrew Storms, director of security operations at nCircle, observed that the discovery of the Windows flaw used to create bogus certificates is a “major breach of trust...[and] underscores the delicate and problematic nature of the trust models behind every Internet transaction.”

What’s Hot on Infosecurity Magazine?