Microsoft has released a security update for its Windows operating system to block three fraudulent certificates used by Flame, the most powerful cyber weapon discovered to date.
Security researchers at Kaspersky Lab, who discovered Flame during an investigation prompted by the International Telecommunication Union (ITU), said the Microsoft update should be applied immediately.
After initially postulating there may be a zero-day vulnerability in Flame, the researchers have now confirmed that two modules of the malware were designed to spread within a network to fully-patched Windows machines from an infected machine.
"It’s important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities," Kaspersky Lab said in a blog post.
Malicious Windows Update
The researchers found that the “Gadget” and “Munch” modules of Flame implement a man-in-the-middle attack against other computers in a network.
"When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client," the blog post said.
In the process of infecting a client, one of the files used contains a specifically built program called WuSetupV.exe or Worm.Win32.Flame.a, which has been signed by a fake Microsoft certificate, which allows it to run in the victim’s machine without any warnings.
The infected machine sets up a fake server by the name “MSHOME-F3BE293C”, which hosts a script that serves a full body of the Flame malware to victim machines. This is done by the module called “Munch”. When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed. The fake update proceeds to download the main body and infect the computer.
Microsoft response to Flame
Microsoft said that Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers were not at risk. The software producer also said most antivirus products will detect and remove this malware.
However, Microsoft said the man-in-the-middle techniques used by Flame could also be used by less sophisticated attackers to launch more widespread attacks.
"We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft," said Mike Reavey, senior director, MSRC, Microsoft Trustworthy Computing, in a blog post.
"Specifically, our Terminal Server Licensing Service, which allowed customers to authorise Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," he said.
Reavey said the security update released at the weekend for all supported releases of Microsoft Windows will automatically block software signed by unauthorised certificates and that the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
"These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft," he said.
Intelligent targeted attacks
According to Mikko Hypponen, F-Secure's chief research officer, having a Microsoft code-signing certificate is the Holy Grail of malware writers.
About 900 million Windows computers get their updates from Microsoft Update, which, in addition to the DNS root servers, has always been considered one of the weak points of the net, he wrote in a blog post.
"Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it," said Hypponen.
However, he said the good news is that it was not done by cybercriminals interested in financial benefit.
"They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency," said Hypponen.