Flame Nightmare: stolen Microsoft certs spoof Microsoft Update

Stolen certs poor for snaring new victims, but neat for keeping infected targets, says HD Moore.

The stolen Microsoft certificates it revoked on Monday were used by the Flame malware to launch a man-in-the-middle (MITM) ‘spoofing’ attack on the Microsoft Update security update system, according to F-Secure.

Microsoft Update is the very system Microsoft employed to distribute Monday’s emergency security update. The service is used to issue security updates for Internet Explorer, Office, and Windows Live.

Microsoft revoked trust for two Microsoft Root Authority certificates and one from Microsoft Root Certificate Authority on Sunday after discovering that its Terminal Services licensing certificates—normally issued for enterprise server license verification—could be used to sign any code as having been made by Microsoft.

Microsoft's security update prevents attackers from signing code that fraudulently validates any software as Microsoft’s.

According to F-Secure’s chief research officer, Mikko Hypponen, the fake certificates were used to validate one of Flame’s modules which attempts to do a MITM attack on Microsoft Update. If successful it drops a file called “WUSETUPV.EXE”.

“This file is signed by Microsoft with a certificate that is chained up to Microsoft root. Except it isn't signed really by Microsoft,” wrote Hypponen in an update Monday evening.

“Having a Microsoft code signing certificate is the Holy Grail of malware writers,” said Hypponen.

Malware that spoofs and replicates via Microsoft’s update system was the “nightmare scenario”, he said. The only upside was it wasn’t used in a large financially motivated attack, but rather a small scale targeted attack, he said.

HD Moore, chief technology officer for Rapid 7 explained to CSO.com.au Microsoft certificates are significant because of the high level of trust Windows systems place in its root certificates.

“There’s a lot of components in Windows that will only load if they’re signed by a root authority. Things like ActiveX controls may not pop up a warning if they’re signed by Microsoft. The same thing applies to kernel modules,” said Moore.

“If you have a rootkit and you install the kernel module you could either get it signed by Global Sign, another kernel vendor, in which case a big pop up occurs, asking ‘Do you want to install this driver by this vendor?’. So even in the best case scenario, you will still get a pop up for those drivers. But if it’s signed by the Microsoft Root Authority, it bypasses all those pop ups and often bypasses the AV detections as well because they say, ‘hey, this is signed by someone we trust, I’m not going to bother signaturing it.”

The stolen certificates in this case would allow an attacker to install “rogue updates” using a Domain Name Service (DNS) MITM.

“The ActiveX control/Windows update system lets anyone with DNS control install updates, but only if the update is signed by Microsoft,” explained Moore.

The attack would be “incredibly difficult to detect”, however, even with a Microsoft signature the attacker would still need to force the update system to hit the malicious server, said Moore.

“It still doesn't seem that useful for breaking into new systems... but it does make keeping access easy, if you can subvert DNS,” said Moore.

While Stuxnet also used a stolen certificate from RealTek, Moore said Flame doesn’t appear to show anywhere near the level of complexity of Stuxnet.

“A lot of malware these days ships with stolen certificates. The original Stuxnet shipped with a stolen RealTek key. It seems like stealing a code-signing key hasn’t been much of a problem for the folks that are doing targeted attacks.

“The only thing that jumped out as being incredibly difficult (in Stuxnet) were the PLC code—actually modifying the hardware etcetera—and some of the exploits were just off the wall crazy and really good bugs that I’m surprised no one ever found before.

“For Flame, it’s not quite as clear that it’s anywhere near the same level of complexity or that it really has anything sophisticated. It didn’t sound like there were any new vulnerabilities or new exploits being exploited by it, it just was basically a new automation kit.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about F-SecureMicrosoftRapid 7Windows Live

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts