W32.Flamer: Leveraging Microsoft Digital Certificates

Microsoft has released Security Advisory 2718704 in relation to Flamer. Flamer used a Microsoft supplied certificate to sign components of Flamer, which would chain up to the trusted Microsoft Root Authority. These signed components would thus appear to come from Microsoft.

Microsoft Terminal Services (or Remote Desktop Protocol) allows thin-clients access to Windows applications or an entire Windows desktop. Microsoft provides a license management system for Terminal Services consisting of a Terminal Services Licensing server. The server can provide licenses to clients (client access licenses) and provide an enterprise the ability to administrate and enforce licenses for connecting clients within their environment.

In order to use the Terminal Services Licensing server, it must first be activated by contacting Microsoft.  Microsoft issues the Terminal Services Licensing server a certificate as part of activation allowing Microsoft to individually identify and verify proper ownership of the Terminal Services server. These certificates chain up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, which further chain up to the Microsoft Root Authority. While the issued certificate is a limited-use certificate, the certificate improperly allows code signing.

Flamer uses such a certificate to sign code causing the code to appear to be produced by Microsoft.

We encourage administrators to review Security Advisory 278704 and update computers as appropriate. Microsoft has corrected this issue through an update, which includes moving three certificates to the Untrusted Certificate Store, invalidating the improperly signed executables.

Flamer components are detected by Symantec as W32.Flamer.