Flame virus can hijack PCs by spoofing Windows Update
June 5, 2012 | Source: CNET
The infamous Flame virus can infect even secure PCs by tricking them into believing its malicious payload is actually an update from Microsoft.
As we already know, Flame has gained traction by tapping into security certificates for Microsoft’s Terminal Server. Though they appear to be digitally signed by Microsoft, the certificates are actually cooked up by the people behind Flame, thereby tricking PCs into accepting them as legitimate.
Microsoft and Symantec revealed yesterday that the virus can up the ante by using the fake certificates to spoof Microsoft’s own Windows Update service. As such, Windows PCs could receive an update that claims to be from Microsoft but is in fact a launcher for the malware.
Microsoft also confirmed the risk to Windows Update, explaining that the vulnerability could be used to attack customers who weren’t the focus of the original Flame virus.
“In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack,” Microsoft said. The Flame virus itself has employed a man-in-the-middle attack to steal data, listen in on audio conversations, and take shots of screen activity.
Microsoft has already taken action by issuing a Security Advisory on how to block software signed by the unauthorized certificates, releasing an update to block the rogue certificates, and cutting off the ability of the Terminal Server Licensing Service to issue certificates that allow code to be signed.