Flame malware mimics a Windows update

New details are emerging about how Flame malware is infecting computers that run on Microsoft’s Windows operating system.

Researchers at both Symantec and Kaspersky Labs studied the way the attack was being executed and determined that the malware was able to infiltrate a user’s computer when a Windows Update was performed.

“When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client,” Alexander Gostev wrote in a Kaspersky Labs blog post.

In other words, Flame tricks the machine into thinking it’s receiving code from Microsoft, a trusted user, but the computer is instead receiving the malware. In this way, experts say, Flame has been able to infiltrate even “fully patched” PCs. Microsoft says the malware can infect all the versions of the Windows operating system that the company currently supports.

Microsoft first issued a security advisory about Flame on Sunday, saying: “Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

In a blog post, Microsoft’s security experts say they’ve canceled the unauthorized digital certificate that was allowing the malware to penetrate PCs. The company advised users to deploy an update that includes this cancellation as soon as possible and that doing so should protect them from attacks.

Flame has raised alarms among security experts for its high level of sophistication. They say it is capable of recording keystrokes and audio conversations, as well as taking screenshots.

Estimates vary for how many computers have so far been infected by the malware. CNET says in a blog post it could be as few as 300 or perhaps more than 1,000, while security experts cited by Reuters put the number at “several thousand.” So far, researchers say most of those attacks have been limited to users in the Middle East, especially Iran.

Related stories:

Malware writers could adapt Flame for future attacks

Why Sun Tzu would have loved Flame

Timeline: History of hacks

Sarah Halzack is a reporter and Web editor for Capital Business. She covers the local job market and the business of talent and hiring. Previously, she was a Web producer for the Post's daily business and economic news section. She occasionally writes for other sections at the Post, most frequently in the form of dance reviews, dance features, book reviews and obituaries.
SECTION: {section=business, subsection=economy}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, comments_period=14, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, comments_period=14, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=business, subsection=economy}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, comments_period=14, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: {allow_comments=true, allow_photos=false, allow_videos=false, comments_period=14, comments_source=washpost.com, default_sort=, default_tab=, display_comments=true, is_ugc_gallery=false, max_items_to_display=15, max_items_to_display_top=3, moderation_required=false, stream_id=}!!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=bg52e9xhqr, display_more=true, moderationrequired=false, includefeaturenotification=true, comments_period=14, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=3, source=washpost.com, allow_photos=false, maxitems=15, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments
Most Read Business