Threat Intelligence, Malware, Network Security, Security Strategy, Plan, Budget

Spy virus Flame got help from doctored Microsoft certificates

Microsoft on Sunday issued an emergency patch revoking digital certificates that were used by cyber crooks to sign parts of the Flame worm to make it appear like a legitimate piece of software.

The patch nullified three intermediate Microsoft certificates, which, according to the software giant, were being leveraged in active attacks to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks," according to an advisory. Microsoft also killed off certificates that were usable for code signing via its Terminal Services licensing certification authority (CA) that ultimately “chained up” to the trusted Microsoft root authority.

"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Mike Reavey, director of the Microsoft Security Response Center, wrote in a Sunday blog post. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft."

By exploiting what appears to be a zero-day vulnerability in the certificate verification process, Flame's authors were able to launch a shrewd attack in which they didn't have to actually steal the certificates, as had been the case with other compromised CAs such as DigitNotar and Comodo.

"Microsoft CA is the most whitelisted CA in the world," tweeted Mikko Hypponen, chief research officer of security firm F-Secure. "Forging a Microsoft code signing certificate is the holy grail of malware writers. Enterprises whitelist applications signed by Microsoft. That's why Flame authors wanted to use a cert that chained up to the Microsoft root."

Microsoft did not say who may have accessed the bogus certs.

Flame, which targeted computers in the Middle East, particularly Iran, had existed since 2010 and, similar to another difficult-to-detect worm named Stuxnet, it spread via removable media, network shares or a printer spool vulnerability. Flame contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.

Components of Flame were signed by the certificates using “an older cryptography algorithm [that] could be exploited and then be used to sign code as if it originated from Microsoft," Reavey wrote.

The thumbprints of the untrusted certificates:



Intermediate PCA

2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Intermediate PCA

3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Registration Authority CA (SHA1)

fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

Portions of this article originally appeared at

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.