W32.Flamer Used Spoofed Microsoft Digital Certificates

Monday, June 04, 2012



Analysis of the "Flame" virus, also referred to as "Skywiper" and "W32.Flamer", indicates the malware was accompanied by a spoofed Microsoft Digital Certificates.

The presence of the fraudulent certificates was a factor in the spread of the malicious code and may have hampered efforts to discover the infection.

The virus is being widely compared to the infamous Stuxnet and Duqu infections, and has been detected in high concentrations in Iran, and to a lesser extent in Israel, Palestine, Sudan, Syria, and several other nations.

Microsoft has revoked the certificates and released a security advisory (Security Advisory 2718704) which states:

"Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. Microsoft is providing an update for all supported releases of Microsoft Windows."

Microsoft's actions revokes trust in the following:

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

A posting on the Microsoft Security Response Center from Mike Reavey, Senior Director for Microsoft's Trustworthy Computing, discussed how the rogue certificates were created.

"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," the blog stated.

Security provider Symantec offered a deeper explanation on how signed components of the Flamer malware could "chain up to the trusted Microsoft Root Authority".

"Microsoft Terminal Services (or Remote Desktop Protocol) allows thin-clients access to Windows applications or an entire Windows desktop. Microsoft provides a license management system for Terminal Services consisting of a Terminal Services Licensing server. The server can provide licenses to clients (client access licenses) and provide an enterprise the ability to administrate and enforce licenses for connecting clients within their environment," Symantec explained.

The procedure used by the Terminal Server Licensing Service provided the avanue for the Flamer developers to produce what appeared to be legitimate Digital Certificates from Microsoft.

"In order to use the Terminal Services Licensing server, it must first be activated by contacting Microsoft.  Microsoft issues the Terminal Services Licensing server a certificate as part of activation allowing Microsoft to individually identify and verify proper ownership of the Terminal Services server. These certificates chain up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, which further chain up to the Microsoft Root Authority. While the issued certificate is a limited-use certificate, the certificate improperly allows code signing. Flamer uses such a certificate to sign code causing the code to appear to be produced by Microsoft," the company noted.

Aside from the Security Advisory and the issuing of updates to protect their customers, Microsoft also took steps to make sure "the Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Possibly Related Articles:
Viruses & Malware
Microsoft malware Symantec Digital Certificates Headlines Root Certificate Flame W32.Flamer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.