June 14, 2021

Flame Malware Using Unauthorized Microsoft Certificates

(LiveHacking.Com) – Microsoft has released a security advisory outlining how components of the Flame malware have been signed by unauthorized Microsoft certificates. The result is that the signed components appear as if they were produced by Microsoft.  The problem originates with an older cryptography algorithm that can be exploited and then be used to sign code. Specifically, Microsoft’s Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in the enterprise, used the older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

To fix the problem Microsoft has done three things: First, it released another security advisory outlining steps users can take to block software signed by these unauthorized certificates. Second, it released a software update that automatically takes this step and third, the Terminal Server Licensing Service has been changed to no longer issues certificates that allow code signing.

Microsoft’s update, which  is available through Windows Update and Automatic Updates, revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:

  • Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority

Microsoft is also concerned that the same technique could have been used by other types of malware. “Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks.  Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers,” wrote Jonathan Ness from Microsoft Security Response Center.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks