Flame signed with Microsoft certs

Powered by SC Magazine
 

Redmond kills cert store, issues patch.

Microsoft has issued an emergency patch revoking digital certificates used to sign the Flame malware.

The patch revoked three intermediate Microsoft certificates used in active attacks to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks”.

Microsoft also killed off certificates that were usable for code signing via Microsoft’s Terminal Services licensing certification authority (CA) that ultimately “chained up” to the Microsoft Root Authority.

The authority issued certificates for users to authorise Remote Desktop services in their enterprises.

Flame (Worm.Win32.Flame) had existed since 2010 and spread via removable media, according to the CERT, and by exploiting a patched Microsoft printer hole -- the same tapped by Stuxnet. It contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.

Components of the sophisticated Flame malware were signed by the certificates using “an older cryptography algorithm [that] could be exploited and then be used to sign code as if it originated from Microsoft”, Microsoft security response centre senior director Mike Reavey said in an advisory.

The bugged algorithm “provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft”.

“Now things may make sense with the Flame hoopla: It used the fake, but ‘valid’, MSFT certificate,” SANS Institute chief research officer Joannes Ullrich said in a tweet.

The bulletin did not specify who accessed the certificates.

The thumbprints of the untrusted certificates:

Certificate

Thumbprint

Intermediate PCA

2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Intermediate PCA

3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Registration Authority CA (SHA1)

fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

 

Copyright © SC Magazine, Australia


Flame signed with Microsoft certs
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Pass on carbon tax savings, warns ACCC
Jul 24, 2014
The ACCC is warning businesses that supply "regulated goods" to pass on any cost savings ...
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 958

Vote