Flame Worm uses fake signed Microsoft digital certificates to install
Earlier today I published a blog article detailing why Microsoft has issued an out-of-band patch that plugs a vulnerability used by the Flame malware, as one means of installing itself. Now, I have learned how the malware is exploiting these certificates and what the patch does to stop this method of exploitation.
According to recent analysis of the Flame malware, by Kaspersky Labs, one of the methods used by the Flame to propagate inside a network is to present a forged signed-by-Microsoft digital certificate when trying to install itself on an uninfected PC. The certificate is used to install a fake Windows Update component deceptively named "Desktop Gadget Platform" - which lies to you by claiming it: "Allows you to display gadgets on your desktop."
Because it uses a previously acceptable certificate of authenticity, claiming to have been signed by Microsoft itself, the operating system would allow the installation to take place without a second thought, or any user interaction. But, not any more! Today's critical patch KB2718704 has revoked the digital certificates used by the Flame Worm. Now, if this malware attempts to install, a challenge box will pop-up. It will list the installer as Unsigned or Untrusted, rather than Signed. If you check for a certificate, it will reveal that the certificate used has been revoked by the issuer.
Thus, The out-of-cycle patch that Microsoft released earlier today will block unattended infections that were previously allowed by the fraudulently signed (by Microsoft) certificates. These revocations will stop this attack vector, but not others. It is still unknown how the Flame malware is introduced into a system, to infect the first host. Researchers are currently looking for an unknown zero day exploit. Keep in mind that the forged signed certificates were a form of zero day attack. It took a long time for this vector to be discovered, but only hours to revoke their permissions and plug that hole.
Footnote: The digital certificates used to spread the Flame malware were signed in 2010. This subterfuge was only discovered in the last few days, a full two years after the fact. It is still not known how these fake certs were signed. That will eventually come to light, along with other facts about this new Flame malware burning up the security news channels as The Hot Topic (puns intended)!
My previous article urges all Windows computer owners and Admins to use Windows Update to install Patch KB2718704 as soon as possible. I repeat the call for urgency in patching against this new malware and others like it that are bound to follow. The next Flame might not be an espionage tool but a new form of botnet and attack weapon.
If you operate with less than Administrator privileges, the patch may be pushed to you when you shut down, or log off. If you run Microsoft Security Essentials, it runs with System privileges and may install the patch with no user interaction or restarts at all. It did just that on my XP Pro machine!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.