Flame, a virus that can infect just about any computer in existence, has a new face: that of Windows Update. Recently, the virus has gained some footing by tapping into Microsoft’s Terminal Server and hijacking security certificates. Even the most well-protected computers believe the certificates are legitimate.
The designers of Flame created the virus to utilize Snack, Munch, and Gadget, three applications that are commonly used to infect PCs on their own. As a trio, they can trick a computer into redirecting traffic to a fake Web server while simultaneously installing a fake Windows Update application.
Spoofing the Windows Update program is a sophisticated and complicated process, says Symantec. “Hijacking Windows Update is not trivial because updates must be signed by Microsoft. However, Flamer bypasses this restriction by using a certificate that chains to the Microsoft Root Authority and improperly allows code signing. So when a Windows Update request is received, the GADGET module through MUNCH provides a binary signed by a certificate that appears to belong to Microsoft.”
Flame’s original focus was on high-end PCs holding valuable information regarding bank accounts, but because Windows Update is the new target, just about any computer can now become a victim. Windows Update has historically only been able to be spoofed by a program that relies on an unauthorized certificate that uses a “man-in-the-middle attack”. Flame is the most advanced spoof yet, employing not only the man-in-the-middle technique, but also taking screen shots, recording audio, and stealing passwords and login information.
Microsoft has already issued a Security Advisory and released an update in an attempt to block the fake certificates, and they have blocked the Terminal Server Licensing Service that was allowing the fake certificates to be signed. The company is also working tirelessly to release a more advanced and secure version of Windows Update.
So far, the virus has not been seen outside of the Middle East, but the complexity and quick spread of the virus seems to indicate that it won’t stay contained very long. The virus has been described as “one of the most interesting and complex malicious programs we have ever seen.”