Fake Certificates Spread Flame

Tuesday, June 5, 2012 @ 01:06 PM gHale

Analysis of the Flame code showed rogue Microsoft security certificates making it appear as if Microsoft officially signed it.

As a result, Microsoft issued a security advisory, revoked trust in the rogue certificates, and provided steps to help IT administrators and users prevent attacks.

How to Check for Flame
Flame and SCADA Security
Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” said a post on the Microsoft Security Response Center blog.

Flame slipped under network defenses by appearing as legitimate Microsoft code.

“The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user,” said Andrew Storms, director of security operations for nCircle. “It also underscores the delicate and problematic nature of the trust models behind every Internet transaction.”

The Microsoft blog post explains a vulnerability in an old cryptography algorithm is exploited by some elements of Flame to make them appear as if they originated from Microsoft. Most systems around the world accept officially-signed Microsoft code as safe by default, so the malware would enter unnoticed.

The weak algorithm is a function of the Terminal Server Licensing Service, which allowed IT administrators to authorize Remote Desktop services on Windows-based networks. The algorithm in question generated security certificates with the ability to sign code so it ends up accepted as legitimate Microsoft code.

Microsoft is taking steps to deal with this issue. First, it released the security advisory which explains the issue in detail and provides steps IT administrators can use to block software signed by the rogue security certificates. Microsoft also released an update, which automatically implements those same steps to make it easier for customers to prevent malware using the spoofed certificates from slipping through.

Microsoft added the Terminal Server Licensing Service is no longer capable of issuing certificates that can sign code. With these steps in place, organizations can rest assured any malware that depends on the rogue security certificates will no longer gain acceptance.

Leave a Reply

You must be logged in to post a comment.