Microsoft Certificate Was Used To Sign Flame Malware

wiredmikey writes "Microsoft disclosed that 'unauthorized digital certificates derived from a Microsoft Certificate Authority' were used to sign components of the recently discovered Flame malware. 'We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,' Microsoft Security Response Center's Jonathan Ness wrote in a blog post. Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks. In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed."

Surprised this isn't regulated more closely

[danbuter]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Re:Surprised this isn't regulated more closely

[Dogtanian]

I kind of thought Microsoft would make damn sure someone else couldn't duplicate their signatures (barring an employee or a government doing it).

Given the blurb for this story that also appeared today...

All three were most likely developed by a Western intelligence agency as part of covert operations [..] consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets

I think that *this* part of your comment:-

(barring an employee or a government doing it)

may answer your own question. Aside from the fact that governments would have had massive resources to start off with, it's also probable that MS were (at least) forced to allow those governments access or involvement at some level to otherwise secure or confidential aspects of their software.

If this is the case, then at the very least, they could have used such knowledge to give themselves an advantage. Going one step further, it's possible that they used or exploited this to help steal or get access to those keys.

But given that it's widely claimed that the US government was involved in the creation of Stuxnet, it's equally plausible that MS willingly gave- or were pressurised into giving- them those certificates knowingly, even if they might not have known exactly what they were for.

This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible.

Re:Surprised this isn't regulated more closely

[fuzzyfuzzyfungus]

The Feds may also be leaning on MS/Verisign/whoever; but this instance appears to be one of rather serious fuck-uppery. From MS's blog entry:

"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."

So, guys, turns out that we accidentally built our phone-home DRM such that the cryptographic "OK, your CALS are worthy unto Redmond and thou mayst remote desktop" message is also a valid signing key with a chain of trust going right back up to a default-trusted Microsoft cert... Oops.

Now, given that (so far as we know, clearly team AV isn't in any position to tell us) this little mistake was not widely known or exploited, clearly the Flame guys were on the ball(and far more interested in spying on Iran or whoever than in improving the security of domestic computers... thanks a whole fucking lot on that one, feds).

Re:Surprised this isn't regulated more closely

[mcgrew]

So much for "SafeBoot". maybe we shoulc now start calling it "unsafe boot"?

Re:Surprised this isn't regulated more closely

[Spyder]

Stuxnet was signed by stolen certificates: http://www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers?print_mode=1 . it's possible that Flamer was signed by compromised certificates, but if we believe that Stuxnet and Duqu were the products of a nation state level actor then we could conclude that Flamer is in the same category.

Re:Surprised this isn't regulated more closely

[Spiked_Three]

"This is just speculation- I don't know any of this for sure, or have any special knowledge of the situation. But it does add up to being at least plausible."

I have a little knowledge, not a lot, and yes this is exactly the kind of thing that can happen. it is quite impressive what happens when as a company you tell NSA no. In my limited experience, it changes to yes less than a month later.

Simple reality, microsoft probably let a bug/flaw slip through a while back, if that was not the case then they were told to. laugh all you want, but if any other operating system had been the target, do you think the outcome would have been any different? oh, and here is another amazing fact; it will happen again if desired.

Re:Surprised this isn't regulated more closely

Sorry, but when you run Windows, MS does the thrusting.

Yay for security!

Proving once and for all that Microsoft's control of the bootloader key that is used everywhere will make all future computers more secure!

Re:Yay for security!

[peppepz]

GP is perfectly right, if anything. Microsoft will control by default all bootloaders, and this event shows that Microsoft are unable to maintain their chain of trust. The fact that there can be (or not - cf. ARM) an undocumented, user-unfriendly, unspecified procedure to add other people's keys doesn't change a bit of that.

Re:Yay for security!

[peppepz]

First they came for ARM on the desktop, and I didn't speak because I didn't care...

Re:Yay for security!

[betterunixthanunix]

That is not true for ARM "Windows 8 Ready" platforms, but seriously who cares about ARM on the desktop?

Maybe you are not creative enough to think of a reason to use ARM on a desktop? I can think of some:

1. Low power situations -- I have a little ARM desktop that uses only 4W of power; this would be great if I were in a situation where I had to generate my own power, e.g. in a boat, in an RV, in a shack somewhere, etc.
2. Low cost computers e.g. Raspberry Pi.

There you go, some situations where an ARM desktop might make sense. Really though, this misses the more important point: why should a computer user ever be barred from installing the software they want to install? Allowing people to install new signing keys for their computer is not at all unreasonable; it could be as simple as pressing a button and inserting a thumb drive (enough effort to make social engineering harder, but not so much effort that an untrained person would not be able to handle it).

Re:Yay for security!

[recoiledsnake]

No, first they came for phones and tablets, and they can barely keep them in stock with people falling over themselves and risking stampedes to buy them.

http://www.macobserver.com/tmo/article/gartner_apple_turns_its_complete_inventory_every_5_days/

But somehow it's fashionable only to slag Microsoft on here and ignore the elephant in the room with the lion's share of devices and profits.

Re:Yay for security!

[0123456]

The same way they train home users to install another OS?

Boot from CD and hit 'Install'?

Nope. Not going to work in the Glorious People's Secure Boot Dictatorship.

In fact, I presume you won't even be able to boot from CD without disabling 'Secure Boot' in the BIOS.

Remember the Kernel Backdoor

I think it was an SHS exploit or something in the Windows Kernel. Steve Gibson stepped through the Kernel and concluded that this vulnerability was an intentionally placed backdoor, perhaps by a Microsoft employee. It's in one of his earlier podcasts. Lots of people thought maybe he was crazy at the time, but in retrospect ... maybe not so much.

Re:Nice Headline

[K.+S.+Kyosuke]

What exactly do you mean by "counterfeit"? If the signing key was signed by the genuine Microsoft key, how does that objectively differ from all the other signing keys?

Re:Nice Headline

[joeflies]

It was not a counterfeit microsoft certificate. It was a legitimate microsoft certificate from Terminal Server Licnensing Service, but used for purposes other than it was intended.

UEFI

And this is how they plan to monopolize Secure Boot (UEFI) and get rid of Linux? why should I trust that ONE KEY that microsoft plans to install on all motherboards?

JP

Re:UEFI

[betterunixthanunix]

First of all the Secure Boot in UEFI wasn't mandated by Microsoft

Except when it comes to Windows 8 on ARM systems. Then Microsoft does mandate secure boot.

A feature any OS is free to implement, including linux.

1. Linux is not an operating system, it is a kernel.
2. What difference does it make if other OSes support secure boot, if you cannot install those OSes as a result of secure boot being used?

Secondly, motherboard manufacturers are able to add (or pre-add) any key (or none at all) if they choose.

This is a cop out; unless there is a simple way for users to install their own keys, this is something that will further restrict how people can use their computers. You can jailbreak your iPad if you want, but the majority of people have trouble doing so.

Thirdly, there is nothing keeping users from being able to install their own key (or additional keys) through the UEFI boot process, assuming the UEFI manufacturer provides one.

...which is something Microsoft pressures them not to do on ARM devices:

https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/

Really, stop spreading your FUD.

What FUD? We said years ago that iPad style lock-down is coming to desktops and laptops; now we have moved a step closer. There is a lot of money to be made from attacking computer users' freedom, and now that Apple has pulled in billions of dollars doing so, everyone else wants to join the party.

Re:UEFI

[betterunixthanunix]

the vendor can just pay $99

The fact that this is phrased in terms of "vendors" should indicate that this is an attack on user freedom. A fee to install your signing key creates obstacles for anyone who wants to fork a GNU/Linux distribution (happens all the time), anyone who wants to create their own distribution, and anyone who wants to try "Linux from Scratch" (and I know of a few people who have done so). It also creates an obstacle for anyone who wants to write their own kernel or OS; if Linus Torvalds had to pay $99, the Linux kernel itself may never have been created.

Even if you think that isn't "simple" enough

The fact that money is involved makes it a major barrier, and counts very strongly against the process being "simple" (it requires a payment to be processed, a third party to the new key, etc. -- you cannot even test a system without the fee; compare with TLS, where you can generate a usable test certificate without paying anyone).

the feature can just be disabled on x86 machines.

Only if the motherboard manufacturer allows it, and this is not allowed on ARM machines that will run Windows 8. Considering the inroads ARM has made into personal computing, I do not think it is unfair to say that the decisions made today about ARM computers will shape the reality of personal computing over the next decade. We are already seeing this happening; app stores are the norm, people are talking about trendy apps, etc.

Re:Nice Headline

[Psykechan]

The certs issues from the Terminal Server Licensing Service were intended to be used only for connections and not code signing. This is Microsoft's blunder. They weren't actually licensing malicious certificates but they were giving people tools to issue what appeared to be valid certs coming from MS.

The fixes are going to be changing TSLS so that its certs can no longer be used to sign code and revoking the intermediate CA certs that are affected.

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

Really?

[Corson]

Flamer is out in the wild since cca. 2007, with a MS signed certificate, and the only IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Isn't this a bit strange? Isn't it more likely that this NA-designed spyware targetting the Middle East was released with the tacit agreement of Western security companies and it only became known because the Russians, for some reason, decided they would not play the game? Microsoft being unaware for thw last few years that hundreds of computers are infected with a 20 MB spyware pack bearing a security certifice of their own? Come on...

Today's Lesson

[Adrian+Lopez]

So... what did we learn today?

1. Signed code is not safe code.
2. An insecure operating system that only runs signed code is still an insecure operating system.