Flame malware spoofs Windows update, prompts Microsoft to issue patch
Users of computers running Microsoft's Windows operating system, patch your machines.
The advice came from Microsoft and several security vendors, which said a certificate flaw in Windows could allow the dreaded Flame malware to spread.
Microsoft's Security Advisory 2718704 said the attack uses unauthorized digital certificates derived from a Microsoft Certificate Authority.
"An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows," Microsoft said.
It said its latest update revokes the trust of the following intermediate CA certificates:
- Microsoft Enforced Licensing Intermediate PCA (two certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
A separate article on tech site CNET said Flame can infect secure PCs by tricking them into believing its payload is an update from Microsoft for the Windows OS.
"As such, Windows PCs could receive an update that claims to be from Microsoft but is in fact a launcher for the malware," it said.
It said Flame uses a certificate that chains to the Microsoft Root Authority and improperly allows code signing.
With this, the prospective victim PC downloads and executes the binary file, believing it to be a legitimate Windows Update file.
The Flame malware is a new sophisticated malicious program that Kaspersky Lab earlier said may be actively used as a cyber-weapon against entities in several countries.
Kaspersky said "Flame" has capabilities that it said exceed those of all other cyber menaces known to date.
It said "Flame" is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
A separate article by computer security firm Sophos said the patch Microsoft issued was an emergency update for all versions of Windows.
"This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks ... The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't like Stuxnet did," it said.
Sophos said Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server.
Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.
Flame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft's Windows Update service.
Ordinarily, it said this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper-proof.
"But the Flame authors had discovered a critical flaw in Microsoft's certificate infrastructure. The Microsoft Terminal Server Licensing service is used for license management and authorization in many enterprise environments. Microsoft had been mistakenly issuing certificates for use on these servers that could be used to digitally sign code," it said.
It said Flame appears to have used one of these certificates to sign its payload and perform a man-in-the-middle attack to inject it onto additional machines on the same network.
Sophos also noted two of the three certificates Microsoft revoked in this update used the MD5 hashing scheme.
It noted MD5 is prone to collisions, which may have also aided the Flame authors in successfully making it look like the malware was from Microsoft. — TJD, GMA News