Flame Update – Used Microsoft Digital Certificate to Replicate

A very interesting update on Flame, malware targeting Middle Eastern countries, from Alexander Gostev at Kaspersky today about Microsoft, the trusted certificate authority.

Malware is a short name for malicious software and is software that helps hackers disrupt computer operations, collect information, or gain unauthorized access to certain applications.

Fraudulent or stolen certificates?

Below is an excerpt from Gostev’s blog: (http://threatpost.com/en_us/blogs/snack-attack-analyzing-flames-replication-pattern-060712)

It appears that one of the ways that Flame replicated was by leveraging a digital certificate from Microsoft.

“What we’ve found now is better than any zero-day exploit. It actually looks more like a “god mode” cheat code – valid code signed by a keychain originating from Microsoft,” Gostev wrote in his blog.

It looks like Microsoft is taking this seriously and addressing this in upcoming releases as discussed Dark Reading’s article, Microsoft Hardens Windows Update After Flame Attacks. Microsoft has admitted the problem, revoked the certificate and posted the following:

“Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.” http://technet.microsoft.com/en-us/security/advisory/2718704

How did the digital certificate get signed?

There has been substantial speculation that Flame was created by the US or Israeli governments. If I were a betting man, I’d say that the speculation will now turn to conspiracy theories concerning how the creators of Flame got their hands on this certificate. It is possible that they tricked the certificate authority. Conspiracy theorists will certainly argue that there was active and knowing cooperation by parties at the certificate authority.

Digital certificates and web application security

Secure website communication relies on the same underlying technology as the code-signing certificate authority model. This  kind of weakness can be used to compromise trusted communications with websites.

Last updated by at .

About Dan Kuykendall

Dan Kuykendall is the CTO and Co-CEO at NT OBJECTives. Dan is a founder of NT OBJECTives and has been with the company for more than 10 years. He is responsible for the strategic direction and development of products and services and works closely with technology partners to make sure integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques. Dan joined NT OBJECTives from Foundstone, where he was responsible for the portal interface to the company’s flagship product, FoundScan. Prior to Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis. Dan is a regular blogger on web application security issues on ManVsWebApp.com and co-hosts An Information Security Place Podcast. His has presented on the topics of mobile and application security at many of the top security industry conferences such as ISSA (2011), B-Sides (2012-2013), OWASP AppSecUSA (2012), HouSecCon (2010-2012), ToorCon (2013) and THOTCON (2013). Dan has been involved with Web Application Security Consortium and is a regular contributor to many open source development projects including founding the RPM Builder, phpGroupWare and podPress projects. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *