Researchers reveal how Flame fakes Windows Update

Bogus certificates key, but espionage malware also spoofs Microsoft's update service on a network

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft's Windows Update mechanism.

Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?

Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company's Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates "signed" by Microsoft.

Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

"Hijacking Windows Update is not trivial because updates must be signed by Microsoft," noted Symantec on Monday in one of a series of blog posts its researchers have written about Flame.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame's development and attacks.

Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure's chief research officer and the first to announce that Flame was abusing Windows Update, called the feat "the Holy Grail of malware writers" and "the nightmare scenario" for antivirus researchers.

But as both Symantec and Kaspersky pointed out, Flame doesn't actually compromise Windows Update. It doesn't somehow infiltrate Microsoft's service -- and servers -- to force-feed malicious files to unsuspecting users.

Instead, a Flame-infected Windows PC can, in some situations, make other machines on a network believe it's Windows Update.

A PC compromised by Flame can sniff a networks' NetBIOS information, which identifies each computer, then use that to intercept Windows Updates requests by Internet Explorer (IE). Flame claims to be the WPAD (Web Proxy Auto-Discovery Protocol) server -- a system that provides proxy settings to copies of IE on the network -- and sends a malicious WPAD configuration file to the requesting PC.

As Symantec noted, WPAD hijacking is not new and is, in fact, part of many hacker toolkits.

The rogue WPAD configuration file modifies the victimized machine's proxy settings so that all Web traffic is routed through the Flame-infected system. On that PC, Flame's Web server, dubbed "Munch" kicks in, detects when the requested URL matches Windows Update's and in return sends a downloader disguised as a legitimate update from Microsoft.

To complete the ruse, the downloader was one of several compressed files -- crunched into the "cabinet," or ".cab" file format -- bundled into the single Windows Update.

Once the downloader was installed it retrieved a copy of Flame from the already-infected PC and uses it to compromise the computer.

This complex spreading technique only added to researchers' grudging respect for the threat.

"As we continue our investigation ... more and more details appear [that show] this is one of the most interesting and complex malicious programs we have ever seen," said Alexander Gostev, who leads Kaspersky's research and analysis team, in a Monday blog entry.

Microsoft has revoked three certificates generated by the attackers, making further spoofing of Windows Update files impossible on patched PCs unless there are more rogue certificates in the wild. The company has also blocked others from cranking out new code-signing certificates.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts