Microsoft certificate used to sign Flame malware, issues warning

Summary: Microsoft has issued a security advisory warning and a high-priority update after parts of the Flame malware were signed with Microsoft-issued certificates.

By Zack Whittaker for Between the Lines | June 4, 2012 -- 06:04 GMT (23:04 PDT)

Follow @zackwhittaker

Microsoft has issued an emergency security patch after it found components of the Flame malware were signed with one of its trusted digital certificates that "chained up" to the Microsoft Root Authority.

The software giant said it had "immediately began examining the issue".

Windows Update (Source: Flickr)

Flame, described by Kaspersky researchers as the “most complex threat” ever discovered, was discovered in a series of machines in what is understood to be a state-sponsored attack.

"Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," Mike Reavey, senior director to Microsoft's Security Response Center (MSRC), said in a blog post.

Having said that, the out-of-the-blue advisory fails to actively note that the malware affects virtually every currently supported version of Windows. Despite this, because of the highly-targeted nature of the malware, most Windows users are not at risk.

In response, Microsoft has issued a security advisory warning its digital certificates could allow "spoofing", and has revoked the two intermediate certificate authorities.

However, the security bulletin does not make clear who had access to these certificates, or whether they were abused by authorised personnel. It may be that they were compromised and abused by an unauthorised user.

Microsoft has also released a Windows Update patch that customers are advised to install immediately.

MSRC's Jonathan Ness explained: "What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft."

The company will therefore discontinue issuing certificates that could be used to sign code via the Terminal Services activation process.

Image credit: Robert S. Donovan/Flickr.

Related:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments

Log in or register to join the discussion

A better headline should have been ...

Microsoft certificate used to sign Flame malware, issues warning and software update (patch).

But I can understand. You need to get the page views.

1773
4 June, 2012 06:27

Reply Vote
- It's all about the clicks..
  
  You are correct 1773. If they put enough information in the headline no one would need to actual load the ads on the page.
  
  Patch was released yesterday FYI not today.
  
  Sqrly
  4 June, 2012 08:22
  
  Reply Vote
- Do tell what happens if you're already exploited?
  
  As per flame. Closing the gate after the horse has bolted. That works well.
  
  Can you point to anything in this micro-patch that would let you know if you have been exploited? Not much chance apparently, but who knows, you could have been extra-lucky. Here's hoping.
  
  ego.sum.stig
  4 June, 2012 12:15
  
  Reply Vote
This

Is why we can't have nice things. And why you shouldn't be running unsupported software.

The one and only, Cylon Centurion
4 June, 2012 06:34

Reply Vote
- Yes, and....
  
  this is why we can't trust the US government on either side of the fence.
  
  Joe_Raby
  4 June, 2012 07:09
  
  Reply Vote
  - Not the U.S.
    
    This was targeting U.S. allies and thus Flame is not believed to be a Western attack.
    
    jgm@...
    4 June, 2012 10:44
    
    Reply Vote
  - Not true
    
    This targeted nuclear systems inside Iran with very dedicated code. The problem is, the coders weren't optimizing the network attack, so outside networks were compromised when it got leaked. This is how Kaspersky found out about it. The thing is huge, indicating how inefficient the code is, and therefore how unskilled the actual coders are. Yes, they did this and it infected many systems, but according to Kaspersky's researchers, the code work took years to master. I really doubt it's that complicated when you look at it because it utilizes a 2 year old code vulnerability. You have to figure that most of the networked systems that Iran has are probably not using licensed, up-to-date software anyway because they don't have a legal channel to get anything like that anyway. It's probably just easier for them to go onto a pirate software website and grab it that way. Even Linux copies are on the blacklist due to the US embargo. Do you really think war-torn countries care about paying full dollar for legitimate software? Seriously?
    
    Also, it's pretty clear that this targets countries that house Arab, Muslim, or Palestinian citizens since they have been considered or admitted to be an enemy of the US's friend, Israel.
    
    Joe_Raby
    4 June, 2012 11:32
    
    Reply Vote
Booted up my machine today

and Automatic Updates showed the patch instantly.

It's only 91KB on Windows 7.

Joe_Raby
4 June, 2012 07:10

Reply Vote
- Is that the Flame malware popup or the real MS auto update warning?
  
  @Joe_Raby
  So how does one know if the pop-up update warning is really from Microsoft?
  What if the balloon pop-up is already the Flame malware?
  
  Martmarty
  8 June, 2012 08:17
  
  Reply Vote
Exactly how did the malware authors get that certificate?

It must have been taken from somebody who possessed it inside Microsoft. Question is - was it taken from with with the cooperation of the management, or is there a US government (or Israeli) mole inside Microsoft with the access? (my guess is the former)

Perhaps the message to the world is - use Microsoft software and the US government Pwns you. And maybe Mossad Pwns you too.

marc van hoff
4 June, 2012 07:38

Reply Vote
- If you would have spent a little time reading the actual ...
  
  linked advisories, you would have known the answers to all of your questions. The certificate was never stolen. The encryption algorithm was broken and then the certificate was spoofed.
  
  BTW it requires only 200 PS3s to crack a MD5 hash algorithm.
  
  1773
  4 June, 2012 07:55
  
  Reply Vote
  - And this is "trusted computing"?
    
    And it wasn't only MD5. There's not much being said by Microsoft. The potential for malware signing was/is indeed interesting and possibly even vast.
    
    One does wonder if it was possible and about the potential of there being a parallel signing authority chain in existence.
    
    Note the obligatory negative downvotes, even when there are others who have said the same thing. Oh, the wonder that is zdnet!
    
    ego.sum.stig
    4 June, 2012 08:41
    
    Reply Vote
  - I read what MSRC is claiming
    
    How do we know they're telling the truth? What "older cryptography algorithm" is in use? Has any independent group verified this?
    
    Could they be lying to deflect the blame for having the cert stolen, or providing it to the government?
    
    I'm not saying they are lying. But if they were, how would we know?
    
    marc van hoff
    4 June, 2012 08:51
    
    Reply Vote
Can we trust the digital certificate system?

Given this is the second time a digital certificate from a legitimate source was used to sign code how can we trust any digital certificate?

ye
4 June, 2012 08:17

Reply Vote
- Answer is
  
  No, certainly not when everyone and their dog is trying to manipulate the systems to their advantage.
  
  Knowles2
  4 June, 2012 09:47
  
  Reply Vote
From how I read this

The certificate was supposed to be a server certificate, one which you would need in order to set up a terminal server using Microsoft terminal Services. And every server that can set up terminal services has one so no-one was given it by Microsoft to do this with, they just used the one off of their server.
The problem is that Windows (until patched) will take this server certificate and if there is code signed with it accept it as if it were Microsoft code and run it without question.
So the problem is the percentage of windows users who don't apply patches will run malware signed by any terminal server certificate without question.
So this one type of cert is now blocked (if you apply the patch), but what other ones are not yet?

sysop-dr
4 June, 2012 09:54

Reply Vote
Relax, OS X and Linux users are not affected

Only Windoze users are affected by this virus. 0 viruses exist for Mac and Linux :)

shellcodes_coder
4 June, 2012 10:42

Reply Vote
- Them internets
  
  don't leik my macintosch! Thye don't mess with mye apple with virus!
  
  Geez get a clue. You know about Flashback right?
  
  EVHGameOvR
  4 June, 2012 10:57
  
  Reply Vote
- You're right
  
  Linux doesn't even have the capability to require signed code in the first place. Everything will just run on Linux, bad or good. Loading drivers with no way to verify their authenticity.
  
  But at least, if there is no security, it cannot be broken.
  
  So true.
  
  honeymonster
  4 June, 2012 11:44
  
  Reply Vote
  - Apparently IBM disagrees with you
    
    Look it up, IBM manages to get a signed code regime working for Linux.
    
    Honestly, you could do better. You should do better. I've seen cheese more knowledgable than you wrt Linux.
    
    ego.sum.stig
    4 June, 2012 11:56
    
    Reply Vote