Skip to main content

Flame Virus Now Pretending to Be Windows Update

By June 5, 2012May 10th, 2022Technology News

Flame, a virus that can infect just about any computer in existence, has a new face: that of Windows Update. Recently, the virus has gained some footing by tapping into Microsoft’s Terminal Server and hijacking security certificates. Even the most well-protected computers believe the certificates are legitimate.

The designers of Flame created the virus to utilize Snack, Munch, and Gadget, three applications that are commonly used to infect PCs on their own. As a trio, they can trick a computer into redirecting traffic to a fake Web server while simultaneously installing a fake Windows Update application.

Spoofing the Windows Update program is a sophisticated and complicated process, says Symantec. “Hijacking Windows Update is not trivial because updates must be signed by Microsoft. However, Flamer bypasses this restriction by using a certificate that chains to the Microsoft Root Authority and improperly allows code signing. So when a Windows Update request is received, the GADGET module through MUNCH provides a binary signed by a certificate that appears to belong to Microsoft.”

Flame’s original focus was on high-end PCs holding valuable information regarding bank accounts, but because Windows Update is the new target, just about any computer can now become a victim. Windows Update has historically only been able to be spoofed by a program that relies on an unauthorized certificate that uses a “man-in-the-middle attack”. Flame is the most advanced spoof yet, employing not only the man-in-the-middle technique, but also taking screen shots, recording audio, and stealing passwords and login information.

Microsoft has already issued a Security Advisory and released an update in an attempt to block the fake certificates, and they have blocked the Terminal Server Licensing Service that was allowing the fake certificates to be signed. The company is also working tirelessly to release a more advanced and secure version of Windows Update.

So far, the virus has not been seen outside of the Middle East, but the complexity and quick spread of the virus seems to indicate that it won’t stay contained very long. The virus has been described as “one of the most interesting and complex malicious programs we have ever seen.”

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.