The spy malware Flame used bogus Microsoft certificates to infect new computers, a prominent cybersecurity expert says. The science needed to pull the trick probably required some of the world’s best knowledge of cryptography.
The virus, which spread across the Middle East and particularly Iran, can mask itself as legitimate patches distributed through a Windows Update, reports Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam.
It does so by providing a fake digital certificate, stating that the malware is a code originating from a trusted producer, which appears to have been issued by Microsoft itself.
Obtaining such a fraudulent certificate required a so-called chosen-prefix collision attack. It’s an attack targeting a specific cybersecurity algorithm called Message-Digest algorithm 5, or MD5. MD5 basically takes a piece of data and turns it into a unique digital fingerprint called a hash.
The important feature of a hash is that it cannot be used to reverse-engineer the original data, so, for instance, a database of password hashes cannot be used to establish the passwords, but can be used to match a password to its hash and verify it. Hash functions are vital to online commerce, safe file distribution and other important parts of cyber infrastructure.
A malign party would want to find a way to find pairs of data, which would generate identical hashes, called a collision. A criminal using hash collisions may intercept communication and act as a middle man, eavesdropping on the exchange or modifying it as he pleases.
For MD5, which was developed in the early 1990s, a way to perform such an attack was first theorized in 2004, although it was deemed impractical by the cybersecurity community. In 2008, Stevens and his group managed to improve on the method and construct a rogue Certification Authority, a body with the authority to issue digital certificates.
The demonstrated vulnerability of MD5 prompted national governments and IT leaders to speed up the shift to better and more secure hash functions. In June 2009, Stevens made public how exactly he and his team performed the attack, assuring that this would not compromise the Internet.
But apparently Microsoft failed to disallow D5-based signatures in their Terminal Server Licensing Service (TSLS), and the authors of the Flame virus made use of this, executing a collision attack in February 2010, Stevens speculates in a statement. The result of this attack was a code-signing certificate appearing to be from Microsoft that may be used to sign Windows Updates. Stevens discovered that the attack took place using custom-made software his team created for their cryptography research.
More interestingly, the Flame collision attack is an entirely new and unknown variant, not the one Stevens used. He adds that the method used by Flame’s coders was already in development before June 2009, when he and his colleagues revealed their take on the problem. “This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis,” Stevens says.
The Flame virus was used by unidentified perpetrators for a massive espionage operation in the Middle East, which lasted for at least two years. It was first reported in late May. Some cybersecurity experts judged that the level of sophistication evident in the malware shows nation-state-level backing was needed to create it.