The latest twist in the Flame cyberespionage attacks sent security experts reeling after it was discovered that the malware’s authors enabled their creation to spread by using signed digital certificates from Microsoft. “Having a Microsoft code-signing certificate is the Holy Grail of malware writers. This has now happened,” wrote F-Secure chief research officer Mikko Hypponen in a blog post. “I guess the good news is that this wasn’t done by cybercriminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.” Many security researchers think same nation-state responsible for 2010’s Stuxnet malware attacks on Iranian nuclear-processing facilities created the Flame malware toolkit. To deal with the problem, Microsoft has issued one emergency patch for all Windows versions and another to kill three rogue certificates that looked as if the company signed them. Microsoft is urging Windows users to update their systems immediately. Hackers apparently used two modules within Flame to infect fully patched Windows 7 machines via a vulnerable cryptographic algorithm in Microsoft’s Terminal Server Licensing Service. Security vendors F-Secure, OpenDNS, and Kaspersky Lab researchers are releasing new details about how Flame works. For example, OpenDNS said Flame mimics regular network traffic, thereby evading detection. (Dark Reading)(Information Week)(F-Secure)(Microsoft Security Advisory)
