Asia's Source for Enterprise Network Knowledge

Friday, April 25th, 2014

Information security threats

Flame spread via fake Microsoft security certificates

Analysis of the massive ‘Flame’ cyber attack code has revealed that rogue Microsoft security certificates were used to make the malware appear as if it was officially signed by Microsoft. Microsoft has issued a security advisory, revoked trust in the rogue certificates, and provided steps to help IT admins and users prevent attacks that rely on the spoofed Microsoft certificates.
 
A post on the Microsoft Security Response Center blog states plainly, “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”

Andrew Storms, director of security operations for nCircle, declares, “The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every Internet transaction.”
 
The Microsoft blog post explains that a vulnerability in an old cryptography algorithm is exploited by some elements of Flame to make them appear as if they originated from Microsoft. Most systems around the world accept officially-signed Microsoft code as safe by default, so the malware would enter unnoticed.

The weak algorithm is a function of the Terminal Server Licensing Service, which allowed IT admins to authorize Remote Desktop services on Windows-based networks. The algorithm in question was used to generate security certificates with the ability to sign code so that it is accepted as legitimate Microsoft code.

Microsoft is taking steps to deal with this issue. First, it released the security advisory which explains the issue in detail and provides steps IT admins can use to block software signed by the rogue security certificates. Microsoft also released an update, which automatically implements those same steps to make it easier for customers to prevent malware using the spoofed certificates from slipping through.