Flame spyware used forged Microsoft certificates

Some parts of the recently discovered Flame malware spread using forged Microsoft certificates, according to the company, which released an emergency patch June 3 to remove three rogue certificates.

Microsoft discovered that an older cryptography algorithm used by its Terminal Server Licensing Service to authorize Remote Desktop services could be exploited to provide “certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” Mike Reavey, senior director of Microsoft Security Response Center, wrote in a blog posting.

The company issued the out-of-band Security Advisory (2718704) to correct the problem.

Related coverage:

Flame’s unique trick: Using Bluetooth to spy on victims

Does US role in Stuxnet raise the risk of domestic cyberattack?

Flame is a large (20M), sophisticated spyware kit that was discovered in late May attacking a relatively small number of Windows computers in the Middle East and Europe, with the largest number of infections in Iran and the Palestinian West Bank.

But despite its targeted nature and the fact that most antivirus programs will find and remove it, Microsoft recommended that all of its customers install the update, noting that, now that it’s been discovered, parts of it could be reused by other attackers.

“[O]ur investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks,” Reavey wrote.

In addition to its security advisory, Microsoft has released an update that automatically corrected the problem, and has stopped its Terminal Server Licensing Service from issuing certificates that allow code to be signed, Reavey wrote.

Flame, also known as Flamer, sKyWIper and the more prosaic Worm.Win32.Flame, is a multifaceted spyware program that has worm and Trojan features and can do everything from snoop through network traffic logs, e-mails and text messages, take screenshots and, in an apparently new technique, tap Bluetooth connections to spy on users.

And despite its size, it has proved to be stealthy, operating for several years before being detected. Some of its code dates to 2007, according to the CrySyS Lab at the Budapest University of Technology and Economics.

One of the fake Microsoft certificates used by Flame was signed in December 2010, nearly 18 month before it was discovered, ThreatPost reported.

Using forged or stolen certificates is a fairly common tactic for malware, because they can fool systems into trusting the malware and then letting it in. Two other notable malware programs, Stuxnet and Duqu, also used fraudulent certificates, ThreatPost noted.

Flame has been linked to both Stuxnet, which disrupted Iran’s nuclear processing in 2010, and the information-gathering Duqu, at least partly because they have had a common target in Iran. But although researcher have found some similarities in their tactics, they have said Flame appears to have been built of a different team of programmers than the one that developed Stuxnet and Duqu.

The New York Times reported June 1 that Stuxnet was created by the United States and Israel as part of a program targeting Iran’s nuclear program, although officials told the paper that Flame was not part of that effort.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected