While more and more researchers are working on the Flame malware, we get more information about how really it became such a huge threat to all of us. The security researchers from Computerworld has published their findings – Flame malware spreads through the network by exploiting the mechanism of Windows Update.
This finding has eventually answered the question about how Flame infected fully patched Windows 7 machines. Hackers managed to exploit a flaw in the Microsoft Terminal Services licensing certificate authority, which allowed them to generate a new certificate which was “signed” by Microsoft. That kind of certificate made hackers a clear way into almost any computer running Windows.
Researchers found out that one of the certificates was valid in between February 2010 and February 2012. That gives researchers information on when exactly Flame developers worked on it. That kind of malware was never seen before. Many security experts were just amazed, even called it “the Holy Grail of malware writers” and “the nightmare scenario” to the antivirus researchers. Eventually, both Symantec and Kaspersky said that Flame didn’t actually compromise anything in Windows Update. It didn’t infiltrate to the service or servers.
Flame made things slightly differently. It made an infected PC mimic the Windows Update, to make all other computers on the network believe, that it’s the Windows Update server. Then it collected the NetBIOS information (which identifies each computer) and used that info to send Windows Update requests through IE. Flame makes itself a Web Proxy Auto-Discovery Protocol (WPAD), and sends configuration files to the requesting PC’s.
WPAD hijacking is not a new thing – it’s quite commonly used in hacker toolkits. However, this configuration file sent to the computer makes the compromised machine redirect all the traffic through infected system. When Flame detects a URL requested matching the Windows Update url – it sends a new downloader disguised as an update from Microsoft instead, disguised as a .cab file. Once that update is executed, it downloads a copy of Flame from already-infected PC.
Just because this virus uses such complex technique to spread, researchers respect it. They call it the most interesting and complex malicious program that was ever seen. However, microsoft blocked three certificates that was used by attackers, so further spoofing of Windows Update won’t be possible if there are no other certificates in the wild. Additionally, Microsoft stopped others from creating new codesigning certificated.