Security Experts:

Microsoft Certificate Was Used to Sign "Flame" Malware

Flame Used Microsoft Certificate

Microsoft: Techniques Used By Flame Could Be Used By Less Sophisticated Attackers to Launch Widespread Attacks

On Sunday, Microsoft reached out to customers and notified the public that it had discovered unauthorized digital certificates that “chain up” to a Microsoft sub-certification authority issued under the Microsoft Root Authority.

Interestingly, there is a direct connection between this discovery and the recently discovered “Flame” malware (also known as Flamer and sKyWIper). While many have said the enterprise threat posed by “Flame” is minimal, Microsoft is now warning that some of the techniques used by components of Flame could be leveraged by less sophisticated attackers to conduct more widespread attacks, namely in malware using unauthorized certificates in order to appear to be legitimate software coming from Microsoft.

Microsoft certification authority signing certificates added to the Untrusted Certificate StoreWhile these security issues are not Flame-specific, and could be used in other forms of unrelated malware, Microsoft was able to identify components of the Flame malware that had been signed with a certificate that ultimately chained up to the Microsoft Root Authority.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post. “We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.”

In response to the discovery, Microsoft released an emergency security advisory on Sunday, detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers.

Related: What Flame Means to the Enterprise

“This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise,” Ness explained. “Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.”

Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

The update revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:

Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) - Issued by Microsoft Root Authority

Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) - Issued by Microsoft Root Authority

Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority

“These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft,” Ness added.

While most of anti-virus software from major vendors will detect and remove Flame, and auto-updates should address these new concerns, Microsoft recommends that administrators and enterprise installations apply the patch, manually if needed. Information on applying the updates (KB2718704) can be found here

Microsoft did not say what algorithm was exploited in order to generate the rogue certificates, though SecurityWeek did reach out to Microsoft for comment and we will update the story if a response is received.

Related: What Flame Means to the Enterprise

Subscribe to the SecurityWeek Email Briefing
view counter
view counter