About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.
Turns out, it looks like this has now been done. And not by just any malware, but by Flame.
The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn’t signed really by Microsoft.
Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries.
Here’s what the Certification Path of the certificate used to sign WUSETUPV.EXE looks like:
The full details on how this functionality works is still under analysis. In any case, it has not been used in large-scale attacks. Most likely this function was used to spread further inside an organization or to drop the initial infection on a specific system.
Microsoft has announced an urgent security fix to revoke three certificates used in the attack.
The fix is available via — you guessed it — Microsoft Update.
Here’s an animated screenshot showing what the update does: it adds two certificates issued by Microsoft Root Authority and one by Microsoft Root Certificate Authority to the list of Untrusted Certificates.
Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened.
I guess the good news is that this wasn’t done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.