Flame exploits Windows bug to attack PCs

BOSTON Mon Jun 4, 2012 6:41pm EDT

A variety of logos hover above the Microsoft booth on the opening day of the International Consumer Electronics Show (CES) in Las Vegas January 10, 2012. REUTERS/Rick Wilking

A variety of logos hover above the Microsoft booth on the opening day of the International Consumer Electronics Show (CES) in Las Vegas January 10, 2012.

Credit: Reuters/Rick Wilking

Related Topics

BOSTON (Reuters) - Microsoft Corp warned that a bug in Windows allowed PCs across the Middle East to become infected with the Flame virus and released a software fix to fight the espionage tool that surfaced last week.

Security experts said they were both surprised and impressed by the approach that the attackers had used, which was to disguise Flame as a legitimate program built by Microsoft.

"I woke up to this news and I couldn't believe it. I had to ask, 'Am I reading this right?'" said Roel Schouwenberg of Russian security firm Kaspersky Lab, one of the researchers who helped discover the Flame virus.

Experts described the method as "elegant" and they believed it had likely been used to deliver other cyber weapons yet to be identified.

"It would be logical to assume that they would have used it somewhere else at the same time, Mikko Hypponen, chief research officer for security software maker F-Secure.

If other types of cyber weapons were indeed delivered to victim PCs using the same approach as Flame, then they will likely be exposed very quickly now that Microsoft has identified the problem, said Adam Meyers, director of intelligence for security firm CrowdStrike.

Cyber weapons that bear the fake Microsoft code will either stop working or lose some of their camouflage, said Ryan Smith, chief research scientist with security firm Accuvant.

A spokeswoman for Microsoft declined to comment on whether other viruses had exploited the same flaw in Windows or if the company's security team was looking for similar bugs in the operating system.

Flame's code included what is known as a digital certificate, which falsely identified it as a piece of software from Microsoft.

The creators of the virus obtained that certificate by manipulating a component of the Windows operating system known as terminal services licensing, or TS licensing, that is designed to authorize business customers to use advanced features of Windows.

A bug in TS licensing allowed the hackers to use it to create fake certificates that identified Flame as being from Microsoft, Mike Reavey, a senior director with Microsoft's Security Response Center, said in a blog post.

He feared that other hackers might be able to copy the technique to launch more widespread attacks with other types of viruses, Reavey said.

"We continue to investigate this issue and will take any appropriate actions to help protect customers," Reavey said in the blog post.

News of the Flame virus, which surfaced a week ago, generated headlines around the world as researchers said that technical evidence suggests it was built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010. Researchers are still gathering information about the virus.

Microsoft's warning is available at blogs.technet.com/b/msrc/

(Reporting by Jim Finkle in Boston; Editing by Gary Hill and Leslie Gevirtz)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (5)
Alexander_Sr wrote:
Windows has flaws and Microsoft even admits it. What is this world coming to.

Jun 04, 2012 2:03pm EDT  --  Report as abuse
Alexander_Sr wrote:
Windows has flaws and Microsoft even admits it. What is this world coming to.

Jun 04, 2012 2:03pm EDT  --  Report as abuse
TheUSofA wrote:
“News of the Flame virus, which surfaced a week ago, generated headlines around the world as researchers said that technical evidence suggests it was built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010.”

Confirmed: US and Israel created Stuxnet, lost control of it

http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/

Jun 04, 2012 3:00pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.