“When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client,” Alexander Gostev wrote in a Kaspersky Labs blog post.
In other words, Flame tricks the machine into thinking it’s receiving code from Microsoft, a trusted user, but the computer is instead receiving the malware. In this way, experts say, Flame has been able to infiltrate even “fully patched” PCs. Microsoft says the malware can infect all the versions of the Windows operating system that the company currently supports.
Microsoft first issued a security advisory about Flame on Sunday, saying: “Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”
In a blog post, Microsoft’s security experts say they’ve canceled the unauthorized digital certificate that was allowing the malware to penetrate PCs. The company advised users to deploy an update that includes this cancellation as soon as possible and that doing so should protect them from attacks.
Flame has raised alarms among security experts for its high level of sophistication. They say it is capable of recording keystrokes and audio conversations, as well as taking screenshots.
Estimates vary for how many computers have so far been infected by the malware. CNET says in a blog post it could be as few as 300 or perhaps more than 1,000, while security experts cited by Reuters put the number at “several thousand.” So far, researchers say most of those attacks have been limited to users in the Middle East, especially Iran.
Malware writers could adapt Flame for future attacks
Why Sun Tzu would have loved Flame
Timeline: History of hacks