Flame's Microsoft mask

With Flame using Microsoft digital certificates to pass itself off as a simple Windows update, the authors of the malware have exploited a critical flaw in the tech giant's certificate infrastructure.

Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

What happened? The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't like Stuxnet did.

Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server. Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.

Flame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft's Windows Update service. Ordinarily this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper proof.

But the Flame authors had discovered a critical flaw in Microsoft's certificate infrastructure. The Microsoft Terminal Server Licensing service is used for license management and authorisation in many enterprise environments. Microsoft had been mistakenly issuing certificates for use on these servers that could be used to digitally sign code.

Flame appears to have used one of these certificates to sign its payload and perform a man-in-the-middle attack to inject it onto additional machines on the same network. It isn't clear whether it was a certificate obtained legitimately from Microsoft or whether weak ciphers were targeted.

Two of the three certificates Microsoft revoked in this update used the MD5 hashing scheme. It has been demonstrated in the past that MD5 is prone to collisions, which may have also aided the Flame authors in successfully making it look like the malware was from Microsoft.

Managing encryption, ciphers and digital signatures is no easy task and a simple mistake like Microsoft accidentally issuing certificates that can be used to sign code using outdated ciphers is enough to put everyone at risk.

The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.

Few computers were compromised using this malware compared to the impact we would see if traditional opportunistic malware exploited this flaw. Fortunately the average user will now be protected from this attack moving forward.

These certificates can also be used for signing software for Microsoft's Windows Mobile and Windows Phone 7 devices, but no patch is available as of yet.

I think a friend of mine in the local Vancouver security community put it best: "Maybe 'Genuine Microsoft Advantage' should check the *other* side of the transaction?"

Chester Wisniewski is a senior security advisor at Sophos Canada, you can see his profile and his other work here

Related Articles