In a blog post, Microsoft explains how they discovered that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. The certificates issued by the Terminal Services licensing certification authority, which are intended to only be used for license server verification, were also used to sign code and make it look like as if it was originated from Microsoft.
Usually, when a security software detects binaries which are signed with trusted certificates like those belonging to Microsoft, it lowers the suspicion level for those binaries or it simply whitelists them. Such a behavior comes from the times when the certificates were something very solid which could prove without any doubt that the code is coming from the company which owns the certificate. During the last two years some big names in the certificate industry were hacked (Verisign, Comodo, Diginotar) and fake certificates were issued for companies like Microsoft, Google, PayPal and others.
For example, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure. This weakness in the implementation was apparently used by the cybercriminals to make the Flame code appear as signed by Microsoft.
Microsoft released today the update that revokes the trust of the following intermediate CA certificates:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
We highly recommend that all users apply this update immediately.