The sophisticated malware that is being used by an unidentified creator to steal information from Iran and its neighbors is creating bogus certificates that allow it to fool Windows into thinking that certain components of Flame are Microsoft products.
After discovering the certificate problem, Microsoft acted quickly to address it. On Sunday, it issued a security advisory and a patch revoking the compromised certificates.
One of the ways Flames uses the certificates to spread itself is through false Windows updates, according to Alex Gostev, chief malware expert at Kaspersky Lab.
Gostev said when a machine runs Windows Update, a Flame component called “Gadget” redirects the update client to another infected machine on the network. That machine sends a malicious update to the first computer. The malicious update, security researchers noted, “uses the fake Microsoft certificate, which allows the bogus Windows Update to run in the victim’s machine without any warnings.”
“[T]here might still be an undiscovered zero-day vulnerability being used to initially infect computers with Flame,” he cautioned. “It’s important to note that the initial Flame infection could still be happening through zero-day vulnerabilities.”
In a blog posting, Microsoft acknowledged that because Flame is being used in sophisticated, targeted attacks the vast majority of its customers aren’t at risk from the malware. However, it advised that that is no reason to dawdle about installing the certificate patch. Some techniques used by Flame could also be leveraged by less sophisticated attackers to launch more widespread attacks on computers outside the malware’s target area, it warned.
Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.