Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Surprised this isn't regulated more closely

[danbuter]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Nice Headline

[a90Tj2P7]

"Microsoft Certificate Was Used To Sign Flame Malware" != "Counterfeit Microsoft Certificate Was Used To Sign Flame Malware"

Remember the Kernel Backdoor

[Anonymous Coward]

I think it was an SHS exploit or something in the Windows Kernel. Steve Gibson stepped through the Kernel and concluded that this vulnerability was an intentionally placed backdoor, perhaps by a Microsoft employee. It's in one of his earlier podcasts. Lots of people thought maybe he was crazy at the time, but in retrospect ... maybe not so much.

Re:Surprised this isn't regulated more closely

[Dogtanian]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Given the blurb for this story that also appeared today [slashdot.org]...

All three were most likely developed by a Western intelligence agency as part of covert operations [..] consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets

I think that *this* part of your comment:-

(barring an employee or a government doing it)

may answer your own question. Aside from the fact that governments would have had massive resources to start off with, it's also probable that MS were (at least) forced to allow those governments access or involvement at some level to otherwise secure or confidential aspects of their software.

If this is the case, then at the very least, they could have used such knowledge to give themselves an advantage. Going one step further, it's possible that they used or exploited this to help steal or get access to those keys.

But given that it's widely claimed that the US government was involved in the creation of Stuxnet, it's equally plausible that MS willingly gave- or were pressurised into giving- them those certificates knowingly, even if they might not have known exactly what they were for.

This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible.

Re:Yay for security!

[peppepz]

GP is perfectly right, if anything. Microsoft will control by default all bootloaders, and this event shows that Microsoft are unable to maintain their chain of trust. The fact that there can be (or not - cf. ARM) an undocumented, user-unfriendly, unspecified procedure to add other people's keys doesn't change a bit of that.

Re:Yay for security!

[tepples]

For x86 systems, there is absolutely a means to change or add keys.

So how will publishers of alternative operating systems be able to train home users in adding the key needed to install another operating system?

fake certificates, or sold certificates?

[Edzilla2000]

Considering that microsoft sold the possibility to sign ssl certificates for any domain to the late Tunisian government, why wouldn't they sell the same thing to the makers of that virus, if it really comes from a government?

source: http://arabcrunch.com/2011/09/wikileaks-microsoft-accused-in-helping-bin-ali-monitor-tunisians-corruption-stifling-open-source.html [arabcrunch.com]

Re:UEFI

[MickyTheIdiot]

But is Linux only able to join the party is it plays in the game Microsoft created? Do you have to be a multi-million dollar company to play? Can I write my own OS if I wanted to and have it boot "securely" on hardware that I own.

None of this seems answered right now. I know that the idiots in Washington DC think you have to be a company to make software, but when you implement that into the hardware it's total bullshit.

Re:UEFI

[Culture20]

the Windows 8 Ready program requires manufacturers to make adding additional secure boot keys available to the end user. Secure Boot isn't some conspiracy to get rid of Linux, it's an attempt to try to get rid of physical access == owned.

Except it does nothing about that. Physical access still == owned unless you lock the bios/uefi and physically lock the machine. Otherwise the attacker can either take out the HDD or boot up a Linux live CD or other HDD by adding a new key. That's no different from the current state of affairs where we change the boot order, lock down the bios and lock the machine. That means the purpose for Secure Boot has to be something else... and easy money is on market dominance (even just joe-user home market dominance).

Really?

[Corson]

Flamer is out in the wild since cca. 2007, with a MS signed certificate, and the only IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Isn't this a bit strange? Isn't it more likely that this NA-designed spyware targetting the Middle East was released with the tacit agreement of Western security companies and it only became known because the Russians, for some reason, decided they would not play the game? Microsoft being unaware for thw last few years that hundreds of computers are infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...

Re:Surprised this isn't regulated more closely

[Anonymous Coward]

After about 5 years of not coming in contact with anything even vaguely Microsoftish (except maybe teller machines in check-out lines and the ticket terminals at the Portland Max stops), I just reinstalled XP on an ageing yet speedy little 3ghz p4 the other day and after getting the various sp's downloaded and installed, jumping through the usual hoops of somehow getting it registered correctly and setting things up all nice and pretty, I just have to say: ye gods - I hate Windows. I really, really just do.

I read somewhere a long time ago that the OS should be invisible to the applications when you're using them and I think this never rang truer than of Microsoft's 2,000lb Gorilla. After 5 hours of getting everything nice and tidy so actual programs could be installed, I ran back to my laptop (debian), opened the Gimp and just sat there drawing kindergarten-esque doodles for an hour to meditate the negative OS microwaving I'd just gotten out of my skull. I honestly hate to think I'm an OS hater, but cheesez...

Point? I don't suppose I have one other than exorcising that particular demon in public. However, I think that any company that has to protect ITSELF (claiming it's protecting me) when it's product is on my computer is NOT worthy of my trust and will never earn it by providing their own "certificates".

Please don't beat me for venting; just had to get that out...

Re:Surprised this isn't regulated more closely

[Alarash]

I attended a Check Point keynote last near in Barcelona, where the speaker described how Stuxnet came to existence. Stuxnet also used digitally signed certificates used to authenticate a program's developer (usually a company). One came from Realtek, I forgot the other one.

The presenter said that these certificates had been signed by the CA that Microsoft delegated to these companies. Normally these CA servers stand in highly secured room, with no network connection whatsoever. The certificates still got leaked. Something similar must have happened here. These are highly sophisticated pieces of malware, with virtually no expense spared to build them (for the Stuxnet example, you had to have your own Siemens PLC, something huge and expensive and hard to come by). So it's not really surprising they could just pay a disgruntled employee, or hack into the building, or doing some James Bond stuff, or god knows what, to get their hands on these certificates.

Re:Remember the Kernel Backdoor

[ChumpusRex2003]

I don't think Gibson found a kernel backdoor.

He did should very loudly about an intentional backdoor in the windows metafile image handler, which would start executing native code when a callback command was included in the script. He made a large number of spurious arguments as to why this was clearly intentional, as the vuln could only be triggered in very exceptional circumstances.

He was completely wrong about almost everything he said. The vuln was trivial to trigger, except when it was the last instruction in the script (which was the only way Gibson was testing). From the fact that he had great difficulty triggering it, requiring multiple parameters to be set to nonsense values, he concluded that this was clearly a deliberate backdoor.

It later came out from a number of MS insiders (incl. Mark Russinovich) that metafiles were a feature of Win 3, and were intended to be fully-trusted OS components (for rapid image drawing, and therefore had privileged access to a variety of internal system calls - notably the ability to set callbacks). The functionality was greatly increased in Win95 and later, with the original x86 hand-written assembly being ported directly, rather than rewritten. In the mists of time, the assumption of full-trust got lost.

Re:Remember the Kernel Backdoor

[trifish]

Since when is sheer unsourced FUD posted by Anonymous Coward starting with "I think that" moderated +5?