Flame Malware Uses Stolen Microsoft Digital Signature
CREDIT: Heidas/Creative Commons
The Flame super-bug discovered last week seems to have another weapon in its already impressive arsenal: It uses a stolen Microsoft digital signature to pass itself off as a Windows update.
"This is huge," tweeted malware expert Mikko Hypponen today (June 4) soon after the news broke. "Using Windows Update itself as an infection vector has always been something we've been scared about."
Every Windows PC in the world is set to accept software "signed" with Microsoft's digital certificates of authenticity, strings of numbers which plug into mathematical formulas to verify that software does indeed come from the proper source.
Microsoft issued an emergency update to all Windows personal computers and servers yesterday (June 3) that revoked the stolen digital certificate.
A Microsoft credential is the ultimate malware weapon. It's like having a signed letter from the president of the United States authorizing you to do anything.
Any piece of code bearing a Microsoft credential would slip right by anti-virus software, which might explain why Flame was "in the wild" for at least two years, and possibly five, before being detected.
How the certificate was stolen
In a posting on the Microsoft Security Research and Defense blog, engineer Jonathan Ness explained that the creators of Flame found a flaw in the way Microsoft issued its digital certificates.
Microsoft servers have a feature called Remote Desktop Services or Terminal Services, which allow "dumb" workstation computers to run their applications on a centralized server instead of locally.
Microsoft issues each server a license certificate, which tells workstations that the server is indeed running genuine Microsoft server software and is safe to connect to.
"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft," wrote Ness.
In other words, digital certificates that were only meant to be used locally, within organizations, could be repurposed to show Microsoft verification across the entire Internet.
U.S. origin ruled out?
This latest development may have some bearing on the guessing game for who created Flame.
"Everybody was assuming US Government was behind Flame," tweeted Hypponen today. "But I don't think they would have used stolen or forged certificates from Microsoft."
Stuxnet, the worm that sabotaged an Iranian nuclear facility in 2010, used certificates stolen from Taiwanese firms in order to slip past computer defenses.
On Friday, a New York Times story offered strong evidence that the U.S. government and Israel created Stuxnet, and the White House did little to refute the allegations. But Hypponen may be right that the U.S. wouldn't steal certificates from a powerful and important American company.
Ironically, even as the news of the stolen Microsoft certificate in Flame was breaking today, digital-privacy gadfly Christopher Soghoian had some news of his own.
"I've filed a formal request with Microsoft to kick the US Gov[ernment] out of trusted cert[ificate] authority program," Soghoian tweeted, "due to use of stolen certs in Stuxnet."
Pulling the plug, and more questions
Soon after the news of Flame's discovery hit the Internet last week, its network of command-and-control servers went offline, according to analysis posted today by Moscow-based Kaspersky Lab.
Kaspersky and the Hungarian CrySys Lab simultaneously released their initial reports on Flame at 9 a.m. Eastern Daylight Time on Monday, May 28.
Three hours later, Flame's command-and-control network, which the malware's creators used to control and update the individual Flame installations on PCs all over the Middle East, ceased to operate.
That command-and-control network had been up for years, Kaspersky found. Some of the domains used to control Flame had been registered as early as 2008, and all the domains had been registered under fake names, with listed addresses, mostly in Europe, actually belonging to hotels, shops and doctor's offices.
Domain-name registration began on March 2, 2008, with more domains names added in batches of one or two sporadically for the next two and a half years. In October 2010, there was a burst of activity as 10 more domains were added over the space of 10 days. On April 10, 2011, 20 domains were registered at once.
In total, there were about 80 different domain names used to control Flame, and more than 20 unique Internet Protocol addresses.
The Internet domain-name registrar GoDaddy and the domain-name resolution service OpenDNS worked with Kaspersky to "sinkhole" much of Flame's network, redirecting Web traffic intended for the command-and-control servers to Kaspersky's own servers.
Kaspersky also confirmed that Flame does not infect machines running the 64-bit edition of Windows 7. That's a relief for millions of people running Microsoft's latest software, though it doesn't protect those running the 32-bit edition, or any version of Windows Vista or Windows XP.
Yet very few of those users need to worry. Flame targeted very specific people in very specific places. If you're not someone working on weapons design or industrial processes in the Middle East, you're not on the target list.
Most major anti-virus software vendors have incorporated Flame into their current libraries of malware definitions, so the number of infected machines, never large, is rapidly shrinking.
However, all Windows users should run Microsoft's latest update revoking the stolen digital certificate, because there's a possibility other malware writers may try to use it.