Flame virus spread through rogue Microsoft security certificates

The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread. Securelist

The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread.
The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread.
Securelist
(CNET) Microsoft revealed Sunday that the infamous Flame virus gained a foothold by spoofing one of its own security certificates.

Flame: A glimpse into the future of war
Behind the "Flame" malware spying on Mideast computers (FAQ)

Specifically, the virus tapped into rogue certificates for Microsoft's Terminal Server that appeared to be signed by the company and were therefore seen as legitimate. In response, Microsoft has taken several measures, including the release of a Windows patch to fix the security hole in Terminal Server, a feature that allows for remote desktop connections. The company detailed the discovery in a blog posted yesterday.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

To try to protect its users, Microsoft said it took the following three steps: 1) It issued a Security Advisory on how to block software signed by the unauthorized certificates; 2) It released an update to automatically block the certificates; and 3) It disabled the ability of the Terminal Server Licensing Service to issue certificates that allow code to be signed.

Windows users are urged to install the new KB2718704 patch. If you enabled Automatic Updates, the patch should automatically install. If not, you can open Windows Update on your PC and manually install it.

Massive targeted cyber-attack in Middle East uncovered
Flame malware: So big, so overlooked

Flame has aroused great concern among many security experts over its level of sophistication and focus.

Researchers at Kaspersky Lab, who discovered the worm, reported that it can steal data, listen in on audio conversations, and take shots of screen activity.

Affecting Iran and some Middle Eastern countries, Flame is seen by some as a new level of cyberwarfare and is believed to have been developed by a nation state, though other researchers have cautioned against overreacting to the threat.

Since the virus is highly targeted and can be caught by most antivirus programs, the "vast majority of customers are not at risk," according to Microsoft. "That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," the company added.

This article first appeared at CNET.

  • Lance Whitney On Twitter» On Facebook»

    Journalist, software trainer, and Web developer Lance Whitney writes columns and reviews for CNET, Computer Shopper, Microsoft TechNet, and other technology sites. His first book, "Windows 8 Five Minutes at a Time," was published by Wiley & Sons in November 2012.

Comments

CBSN Live

pop-out
Live Video

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.