View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft revamps security after Flame malware scare

Malware used Windows flaw to trick PCs into thinking it was legitimate software

By Steve Evans

Microsoft has pledged to update its security strategy following the discovery of the Flame malware, which used a flaw in the Windows operating system to install itself on PCs.

The malware was used to attack computers throughout the Middle East and was specifically designed to gather intelligence from government departments, particularly in Iran.

The highly targeted nature of Flame means the vast majority of PC users around the world are not currently vulnerable. However, Microsoft clearly feels the flaw Flame exploited is serious enough to warrant big changes to the way it approaches security. The company said some of the techniques used in this attack could be used to launch more widespread attacks by far less sophisticated cyber criminals.

Essentially, Flame exploited a flaw in the Windows software that enabled it to trick the PC into thinking it was legitimate software from Microsoft. It then used Windows Update to install the malware onto the PC.

Mike Reavey, senior director at Microsoft Security Response Centre, said: "We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."

"Specifically, our Terminal Server Licensing Service, which allowed customers to authorise Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft," Reavey added.

Microsoft has released a patch that updates its certificate signing infrastructure and, "revokes the trust placed in the ‘Microsoft Enforced Licensing Intermediate PCA’ and ‘Microsoft Enforced Licensing Registration Authority CA’ signing certificates", Jonathan Ness added in another blog.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

"We have also discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process," Ness added.

F-Secure’s Mikko Hypponen said the used of Microsoft certificate was a big deal for the cyber criminals behind Flame. "Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," he wrote. "I guess the good news is that this wasn’t done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."

Details of the Flame malware were revealed at the end of May. It was described by Kaspersky Lab as "one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage."

The complexity and sheer size of the malware means a full analysis will not be available for a long time. It is still unclear at this time who is behind Flame, although Israel has hinted at its involvement.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.