Rogue certificates from Microsoft helped fan the Flame

News by Dan Raywood

A key success of the Flame malware was due to it containing signed Microsoft certificates.

A key success of the Flame malware was due to it containing signed Microsoft certificates.

McAfee research said that the certificate used to sign this file was originally issued by a Terminal Server Licensing Intermediate Certificate Authority (CA), meaning that the certificate was supposed to be used only to authenticate users connecting to the Terminal Server, but due to a mistake in the CA configuration, it could be used to sign code, too.

According to Mike Reavey, senior director of MSRC at Microsoft Trustworthy Computing, its analysis shows that some components of Flame were signed by certificates that allow software to appear as if it was produced by Microsoft.

“We identified that an older cryptography algorithm could be exploited and then used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorise Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” he said.

Microsoft released an advisory with steps users can take to block software signed by these unauthorised certificates, and an update that automatically does this.

This emergency patch blacklists the three intermediate certificate authorities tied to Microsoft's root authority, while Microsoft engineers have also stopped issuing certificates that can be used for code signing with the Terminal Services activation and licensing process.

“Microsoft's revocation of this intermediate CA does not affect the trustworthiness of any other certificate issued by Microsoft itself. Only certificates issued to users of Terminal Server would need to have their certificates reissued by their system admins,” said McAfee.

Andrew Storms, director of security operations for nCircle, said: “Microsoft took a rare step and issued a security advisory on a weekend, underscoring the importance and severity of this problem.

"The discovery of a bug that's been used to circumvent Microsoft's secure code certificate hierarchy is a major breach of trust, and it's a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every internet transaction. If we needed any additional confirmation, this bug makes it clear that warfare is now far less about guns and bombs and more about keystrokes.”

According to F-Secure, about 900 million Windows computers get their updates from Microsoft and this has always been considered one of the weakest points of the net as anti-virus vendors "have nightmares about a variant of malware spoofing the update mechanism and replicating via it".

It said that there is a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system and, if successful, the attack drops a file called WUSETUPV.EXE to the target.

The SANS Institute said that the update is not clear on who had access to the intermediate certificates and if they were abused by an authorised user, or compromised and used by an unauthorised user.

In a blog post, Johannes B. Ullrich at SANS Institute said: “The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a 'real' Microsoft certificate is surely going to increase the speculations as to the origin of Flame.”

David Harley, senior research fellow at ESET, said: “I'd say that at this time the certificate-signing issue is the most significant: while revoking the known fake certificates mitigates the immediate problem, fixing the cert spoofing mechanism should be a pretty urgent priority, now that genie is out of the bottle.

“The other techniques Flame uses are less of a concern, given that it uses a lot of stuff that's already been mitigated and as anti-virus detection coverage is pretty complete now, as far as we know. But those last five words have a special resonance as far as Flame is concerned: that element of ‘what are we missing?' is more worrying than ever in the age of the targeted attack.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews