Flame Virus Disguised as Microsoft Certificates Invades Windows-Based Machines

By | Jun 15, 2012

The Flame virus is all over the tech news in recent weeks due to its attack on Iran's nuclear and oil export facilities and its accidental release into the public. After the virus was found and its information hit the news, the command-and-control infrastructure went quiet for a couple of days, only to reawaken in Germany. It is unknown if the virus was activated by researchers or if it was looking for a new target. Either way, several Windows machines were attacked on Monday from the virus using unauthorized Microsoft digital certificates.

An unauthorized certificate allows the virus to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Content spoofing allows the virus to insert malicious text into a web page, thereby changing the viewable content. Man-in-the-middle, or bucket brigade, attacks allow a third party to insert itself into a conversation between two other entities and take control over both ends of the communication.

Software and devices that can be infected include all Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 machines. Windows Server 2008 Server Core is susceptible, as are Windows Mobile 6 and Windows 7 devices.

Microsoft has released a security advisory relating to this issue for IT professionals. Midsize business IT professionals should install updates on all machines with the above software installed. Microsoft does not have a fix for computers that are already infected.

Mikko Hypponen, chief research officer for F-Secure, said, one of the modules in the Flame virus can create a man-in-the-middle attack. He says, "If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root."

Dark Reading reports there are over 80 domains with 24 IP addresses currently up and maintaining the Flame virus. Kaspersky Lab and OpenDNS have brought down 30 of the command-and-control servers, but there are obviously more out there. Since this virus does not attack until it is commanded to do so, the recent Microsoft attacks prove there are still controllers guiding it.

Security experts say that this attack was not performed by standard cyber criminals. If it were, it would have spread quickly, infecting millions of computers and retrieving personal information the hackers could have made money from.

The code is starting to appear on the Internet, and hackers are now aware of some of the tricks the virus is using to get behind various network firewalls. This is the start of a new generation of hacking. Security experts are coming together to find ways to stop the virus, but the hackers are just beginning, as they find new ways to intercept information, break into secure servers, and destroy data.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...