Flame spread via fake Microsoft security certificates

Analysis of the massive ‘Flame’ cyber attack [4] code has revealed that rogue Microsoft security certificates were used to make the malware appear as if it was officially signed by Microsoft. Microsoft has issued a security advisory [5], revoked trust in the rogue certificates, and provided steps to help IT admins and users prevent attacks that rely on the spoofed Microsoft certificates.
 

A post on the Microsoft Security Response Center blog [6] states plainly, “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”

Andrew Storms, director of security operations for nCircle [7], declares, “The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every Internet transaction.”
 

The Microsoft blog post explains that a vulnerability in an old cryptography algorithm is exploited by some elements of Flame [8] to make them appear as if they originated from Microsoft. Most systems around the world accept officially-signed Microsoft code as safe by default, so the malware would enter unnoticed.

The weak algorithm is a function of the Terminal Server Licensing Service, which allowed IT admins to authorize Remote Desktop services on Windows-based networks. The algorithm in question was used to generate security certificates with the ability to sign code so that it is accepted as legitimate Microsoft code.

Microsoft is taking steps to deal with this issue. First, it released the security advisory which explains the issue in detail and provides steps IT admins can use to block software signed by the rogue security certificates. Microsoft also released an update, which automatically implements those same steps to make it easier for customers to prevent malware using the spoofed certificates from slipping through.

Microsoft adds that the Terminal Server Licensing Service is no longer capable of issuing certificates that can be used to sign code. With these steps in place, organizations can ensure that any malware that depends on the rogue security certificates will no longer be recognized as being from Microsoft.

Storms provides some further insight about the rogue Microsoft certificate revelation. He points out that the stealthy use of rogue Microsoft security certificates supports the theory that ‘Flame’ is part of a grander state-sponsored espionage effort [9]. “A bug that can identify a piece of malware as legitimate is not something an average malware writer would have been able to sit on for long--it’s worth far too much on the black market.”

Storms adds, “The fact that this bug has been kept secret for at least 18 months, and quite possibly longer, is pretty clear evidence that there is a nation state behind Flame [10].”