A week after the discovery of the Flame malware, an investigation by Microsoft has revealed that a counterfeit digital certificate was used to help spread the malicious code. Microsoft has found that part of the Flame malware had been signed with digital certificates that were chained all the way up to the Microsoft Root Authority.
With the bogus certificate, Flame malware would look like legitimate software signed by Microsoft. The bogus certificate signing was made possible by way of a flaw in Microsoft's Terminal Services licensing certification authority, which Microsoft has now patched as part of an emergency security update released this weekend.
"We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft," Mike Reavey, Senior Director of MSRC Microsoft Trustworthy Computing, wrote in a blog post. "Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."
According to Mikko Hypponen, Chief Research Officer at F-Secure, the malware writers went one step further and actually used Windows Update as an infection vector, leveraging the forged certificate. "The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer," Hypponen wrote in a blog post. "This file is signed by Microsoft with a certificate that is chained up to Microsoft root. Except it isn't signed really by Microsoft."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Hypponen calls this the nightmare scenario for IT security staff: "About 900 million Windows computers get their updates from Microsoft Update," he wrote. "In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it. Turns out, it looks like this has now been done."
Certificates Revoked in Emergency Update
Microsoft Security Advisory 2718704, released yesterday, revokes the trust of a pair of Microsoft Certificate Authorities to help mitigate and remove the risk. Additionally Microsoft is no longer enabling anyone to sign certificates via the Terminal Services activation and licensing system. The advisory affects Windows XP, Windows Vista, Windows 7, and even the new Windows 8 Preview release.
As to why the vulnerability was possible in the first place, Jonathan Ness of Microsoft Security Response Center Engineering explained in a blog post that the Terminal Services licensing certification authority should only have been able to be used for license server verification. What Microsoft's investigation found was that the Terminal Services could also be tricked into providing a bona fide Microsoft digital signature for code as well. The system could also have bypassed Microsoft's own code signing infrastructure.
"Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft's internal PKI infrastructure," Ness explained.
Problems with unauthorized Certificate Authority signing are not new in the malware world. In 2011, Certificate Authority Diginotar was breached, which enabled attackers to sign digital certificates on behalf of Google and other high profile web sites.
The Microsoft disclosure about the potential role their certificate authority played in Flame comes as more information about the U.S. Government's role in the Stuxnet and Duqu cyber attacks has been exposed. Last week, the New York Times reported that the U.S and Israeli governments were definitively tied to the proliferation of Stuxnet. Early speculation about the intent of Flame has been that it is a similar type of targeted cyberwarfare campaign against Iran.