Flame malware mimics a Windows update

New details are emerging about how Flame malware is infecting computers that run on Microsoft’s Windows operating system.

Researchers at both Symantec and Kaspersky Labs studied the way the attack was being executed and determined that the malware was able to infiltrate a user’s computer when a Windows Update was performed.

More tech stories

Parking doesn’t have to be a hassle

Parking doesn’t have to be a hassle

Meet the man who wants to make parking in a garage as fun as riding in an Uber.

Big data: A double-edged sword

Big data: A double-edged sword

New information will improve our health and prevent crimes, but uncover skeletons and hurt privacy.

White House updating online privacy policy

White House updating online privacy policy

A new Obama administration privacy policy explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites, and it clarifies that online comments, whether tirades or tributes, are in the open domain.

“When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client,” Alexander Gostev wrote in a Kaspersky Labs blog post.

In other words, Flame tricks the machine into thinking it’s receiving code from Microsoft, a trusted user, but the computer is instead receiving the malware. In this way, experts say, Flame has been able to infiltrate even “fully patched” PCs. Microsoft says the malware can infect all the versions of the Windows operating system that the company currently supports.

Microsoft first issued a security advisory about Flame on Sunday, saying: “Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

In a blog post, Microsoft’s security experts say they’ve canceled the unauthorized digital certificate that was allowing the malware to penetrate PCs. The company advised users to deploy an update that includes this cancellation as soon as possible and that doing so should protect them from attacks.

Flame has raised alarms among security experts for its high level of sophistication. They say it is capable of recording keystrokes and audio conversations, as well as taking screenshots.

Estimates vary for how many computers have so far been infected by the malware. CNET says in a blog post it could be as few as 300 or perhaps more than 1,000, while security experts cited by Reuters put the number at “several thousand.” So far, researchers say most of those attacks have been limited to users in the Middle East, especially Iran.

Related stories:

Malware writers could adapt Flame for future attacks

Why Sun Tzu would have loved Flame

Timeline: History of hacks

 
Read what others are saying