Flame, a massive malware package targeting computers in the Middle East, is spreading itself using bogus Windows updates.
The sophisticated malware that is being used by an unidentified creator to steal information from Iran and its neighbors is creating bogus certificates that allow it to fool Windows into thinking that certain components of Flame are Microsoft products.
One of the ways Flames uses the certificates to spread itself is through false Windows updates, according to Alex Gostev, chief malware expert at Kaspersky Lab.
Gostev said when a machine runs Windows Update, a Flame component called "Gadget" redirects the update client to another infected machine on the network. That machine sends a malicious update to the first computer. The malicious update, security researchers noted, "uses the fake Microsoft certificate, which allows the bogus Windows Update to run in the victim’s machine without any warnings."
Since the world became aware of Flame, security software companies have issued updates to their anti-malware programs to neutralize the program. However, Gostev warned that Flame may still have some tricks embedded in its code.
"[T]here might still be an undiscovered zero-day vulnerability being used to initially infect computers with Flame," he cautioned. "It’s important to note that the initial Flame infection could still be happening through zero-day vulnerabilities."
A zero-day vulnerability is one that is unknown to a software vendor and the security community until it's discovered in malware operating "in the wild."
In a blog posting, Microsoft acknowledged that because Flame is being used in sophisticated, targeted attacks the vast majority of its customers aren't at risk from the malware. However, it advised that that is no reason to dawdle about installing the certificate patch. Some techniques used by Flame could also be leveraged by less sophisticated attackers to launch more widespread attacks on computers outside the malware's target area, it warned.