Microsoft on Sunday issued an emergency patch revoking digital certificates that were used by cyber crooks to sign parts of the Flame worm to make it appear like a legitimate piece of software.
The patch nullified three intermediate Microsoft certificates, which, according to the software giant, were being leveraged in active attacks to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks," according to an advisory. Microsoft also killed off certificates that were usable for code signing via its Terminal Services licensing certification authority (CA) that ultimately “chained up” to the trusted Microsoft root authority.
"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Mike Reavey, director of the Microsoft Security Response Center, wrote in a Sunday blog post. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."
By exploiting what appears to be a zero-day vulnerability in the certificate verification process, Flame's authors were able to launch a shrewd attack in which they didn't have to actually steal the certificates, as had been the case with other compromised CAs such as DigitNotar and Comodo.
"Microsoft CA is the most whitelisted CA in the world," tweeted Mikko Hypponen, chief research officer of security firm F-Secure. "Forging a Microsoft code signing certificate is the holy grail of malware writers. Enterprises whitelist applications signed by Microsoft. That's why Flame authors wanted to use a cert that chained up to the Microsoft root."
Microsoft did not say who may have accessed the bogus certs.
Flame, which targeted computers in the Middle East, particularly Iran, had existed since 2010 and, similar to another difficult-to-detect worm named Stuxnet, it spread via removable media, network shares or a printer spool vulnerability. Flame contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.
Components of Flame were signed by the certificates using “an older cryptography algorithm [that] could be exploited and then be used to sign code as if it originated from Microsoft," Reavey wrote.
The thumbprints of the untrusted certificates:| Certificate | Thumbprint |
| Intermediate PCA | 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70 |
| Intermediate PCA | 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08 |
| Registration Authority CA (SHA1) | fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97 |
Portions of this article originally appeared at scworld.com.au.
