Microsoft has found that some components of the Flame malware were signed using a forged digital certificate that the attackers were able to create by exploiting a weakness in the way that Microsoft’s Terminal Services allows customers to sign code with Microsoft certificates. The company has sent out an update that will remove three untrusted certificates from the Microsoft Trusted Certificate Store and has made a change to the way Terminal Services handles code signing.
Flame, which was discovered last week and has been used in a series of targeted attacks against organizations in Syria, Iran and other Middle Eastern countries, has one of its important components–the updater–signed by certificates that were created by the attackers using the vulnerability in Terminal Services. The way that it worked is that when Terminal Services is installed in an environment, it gives customers the ability to authorize the use of Remote Desktop Services on certain machines. During that process, the server will issue certificates to prove that the code comes from Microsoft. The attackers discovered that those certificates also could be used to sign code, and used them to sign the components of Flame.
Researchers have found that one component was signed in December 2010.
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” Microsoft’s Mike Reavey wrote in an analysis of the problem.
The attackers behind Flame used this vulnerability in order to sign, and therefore legitimize, certain pieces of the attack tool. This is an embarrassing incident for Microsoft, and the company pushed out an emergency update for the issue on Sunday.
“Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft,” Jonathan Ness from the Microsoft Security Response Center Engineering team, wrote.
The use of forged or stolen certificates to sign malware is a trick that’s been used for some time now, most notably in both Stuxnet and Duqu, which are seen as the forerunners of Flame. The tactic enables the attacker to get browsers and other applications to trust the signed components of the malware, allowing them to run unimpeded on infected machines.
In the case of Flame, the attackers used a certificate issued by Microsoft to sign the updater for the malware, and researchers say that the component was signed on Dec. 28. 2010. That’s about 18 monhts before the Flame malware was discovered and the stolen certificate uncovered.