Flame's use of spoofed Microsoft security certificates will likely be mimicked by sophisticated malware writers to craft widespread attacks, experts say.

Mathew J. Schwartz, Contributor

June 5, 2012

6 Min Read

The latest revelation into the Flame malware's capabilities is a stunner: The malicious code can trick PCs into accepting fake code via Windows Update. As a result, the malware can make itself circulate automatically, and--before it was spotted last week--would have infected almost any system it encountered, without being detected.

"Because fully patched Windows 7 machines were being infected over the network in a very suspicious manner," researchers suspected that Flame included the ability to exploit one or more unknown--or zero-day--vulnerabilities, said Alex Gostev, the chief malware researcher at Kaspersky Lab, Monday in a blog post.

Microsoft identified the culprit Sunday when it released a security bulletin warning that "unauthorized digital certificates could allow spoofing." Its related Windows update revokes trust for three fraudulent certificate authority (CA) certificates: two Microsoft Enforced Licensing Intermediate PCA certificates, as well as the Microsoft Enforced Licensing Registration Authority CA.

The revelation that Flame included the ability to pass off fake Windows updates is yet more evidence of that Flame, in Gostev's words, "is one of the most interesting and complex malicious programs we have ever seen." Indeed, the certificate flaw gave Flame's creators a way to attack all versions of Windows. Microsoft has released patches for all supported versions, including Windows XP SP3, Vista SP2, Server 2008, as well as Windows 7 and Windows Phone versions 7 and 7.5.

[ How many unseen attacks are nation-sponsored? Read more at Flame's Big Question: What Else Is Lurking? ]

What are the information security implications of the Microsoft certificate-signing flaw, including mitigation strategies? Here are seven related facts:

1. Microsoft Urges Immediate Updating
Sunday, Microsoft released an update--available via Windows Update as well as automatic updating--to revoke the trust placed in the three certificates. While Flame has only infected an estimated 1,000 PCs, security experts recommend all Windows users install these updates immediately, as it's likely that more malware writers will try to take advantage of the flaw. "Most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," according to a blog post from Jonathan Ness, who's part of Microsoft's security research and defense team.

2. Flame Modules Implemented Windows Certificate Attack
Early teardowns of the Flame malware found about 20 add-on modules, with such names as Beetlejuice, Euphoria, and Suicide, which the malware's creators used to give Flame extra capabilities. Since then, researchers have been trying to determine what all of the modules do, and have only just discovered that the "Gadget" and "Munch" modules in particular gave the malware the ability to exploit the Windows certificate flaw, via a "man-in-the-middle attack against other computers in a network," said Gostev at Kaspersky Lab. "When a machine tries to connect to Microsoft's Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client." But on the mitigation side, "to get infected, the machines do need however to have their System Proxy settings configured to 'auto,'" he said.

3. Attackers Obtained Malware Holy Grail
Malware attacks work--when they succeed--by allowing an attacker to run arbitrary code on a PC. Perhaps the easiest way to do that would be to have Windows automatically accept the attack code, and that's what Flame's creators were able to do. "Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."

4. Microsoft Certificate Vulnerability Used After Infection
Although the Microsoft signing flaw was exploited by the malware, it was apparently used only after it had infected a computer to help attackers then route the malware to other designated PCs. "The Flame malware needed a way to silently infect machines in the target environment, without making the mistake of spreading where it shouldn't, like Stuxnet did," said Graham Cluley, senior technology consultant at Sophos, in a blog post. Multiple security researchers believe that Flame was created by the U.S. government, which recently admitted that it built Stuxnet.

5. Patched Flaw Must Use Man-In-Middle Attack
More good news is that Flame's certificate spoofing attack only works after a PC has already been compromised. "In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack," said Mike Reavey, the senior director of Microsoft's security and research center, in a Monday blog post. Even so, the related threat remains severe, as any such attack could automatically install malware of an attacker's choice on a targeted PC. Accordingly, Reavey promised that "the next action of our mitigation strategy is to further harden Windows Update," and said further details would be released shortly.

6. Expect More Flame Zero Days Warn Researchers
Flame is likely to exploit more previously unspotted flaws. While the Windows certificate flaws can only be exploited by the malware for man-in-the-middle attacks, "it's important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities," said Gostev at Kaspersky Lab. "The 'Gadget' module is simply used to spread within a network from a machine that is already infected with the malware." In other words, there may very well be other zero-day exploits built into the core Flame application or its modules. Stuxnet exploited four zero-day vulnerabilities.

7. Flame Most Infected Iran
Like Stuxnet, Flame appears to have been designed to target Iran, at least principally. According to Kaspersky Lab and OpenDNS, which together sinkholed 30 of Flame's command-and-control servers, the related domains date from 2008. While 80 such domains have been counted, 24 appeared to be used for the latest attacks. "Flame's command-and-control [infrastructure] is huge, unlike anything we've seen before," said Roel Schouwenberg, a senior antivirus researcher for Kaspersky Lab, in a press conference. Based on the sinkhole they created, the researchers saw 45 infected machines in Iran, 21 in Lebanon, and 14 in Sudan, followed by single-digit infections elsewhere, including eight U.S. machines.

As noted by Stephen Cobb, security evangelist at ESET, "It is unlikely that you are the target of Flamer unless you are an official in a Middle Eastern government or working on weapons research for such a government."

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights