Microsoft Rushes Update After Digital Certificate Abuse in Flamer
Microsoft has delivered a security patch via the Windows Update service to revoke three digital certificates that the Flamer malware has used to evade detection.
The accompanying security advisory from the Redmond-based software vendor states that samples of Flamer malware using unauthorized digital certificates derived from a Microsoft Certificate Authority have been seen in the wild. Flamer, also known as Skywiper, is one of the world’s most complex e-threats to date. Some of its components had been signed by certificates that allow software to appear as if it was built by Microsoft, which allows it to circumvent some security checks in the operating system, as well as in some antivirus products.
“We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” Mike Reavey, Senior Director to Microsoft’s Security Response Center (MSRC), wrote in a blog post. The company does not state who the abused certificates belong to or how they were leaked to the attacker.
Digitally-signed malware has become increasingly prevalent since the discovery of Stuxnet. This breed of malware is particularly dangerous, as some antiviruses skip digitally-signed malware from scanning as they are believed to be trustworthy. Also, some components, such as kernel-mode drivers – components that are mostly known as rootkits, need to be digitally signed to infect 64-bit operating systems.