Microsoft discovered that the Flame Malware has sections in it that have a Microsoft-issued certificate. That is a new way of using malware. Pretending to be a legitimate source of software yet having underneath it a program that will cause havoc on a computer system.
According to Wikipedia:
“Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries…. The last of these stated in its report that “sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.””
The malware creators used the Microsoft Terminal Server Licensing Service certificate, which uses the MD5 hashing algorithm. They produced a counterfeit certificate to sign some components of the malware to make them appear to have originated from Microsoft.
The Microsoft Impact
Microsoft discovered some techniques used by this malware that can operate by less sophisticated attackers to launch attacks that are more widespread. But they also contend that most Windows users will not be affected, because the targets of this attack were very specific, the Middle East.
Nevertheless, Microsoft has released a Windows Update patch in which users should install. At their site, Microsoft has 15 versions of the update covering multiple versions of Windows from XP to x64-based versions of Windows Embedded Standard 7.
In the meantime, Microsoft has removed the certificates that could be used in spoofing, at least cleaning that up at their level. They found is that certificates issued by the Terminal Services licensing certification authority, which is intended to only be used for license server verification, could also be used to sign code as Microsoft.
So Microsoft will discontinue issuing certificates that could be used to sign code via the Terminal Services activation process.