Flame, believed by experts to have been created by a Western intelligence agency for purposes of information gathering and espionage, has achieved what has long been called the “holy grail” for malware: replicating via Microsoft Windows’ built-in update system.
As Mikko Hypponen, chief research officer at F-Secure, outlined at the “News from the Lab” blog:
The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn’t signed really by Microsoft.
Signed certificates are how computers know whom to trust. You’re using them every time your web browser switches over to the “https://” mode used by your bank and for e-commerce.
The larger, and to me more incredible, trend here is that Western intelligence agencies are now executing attacks more sophisticated than anything seen previously. In the wake of the astonishingly elaborate Stuxnet attack, if there’s one thing this new Flame exploit proves, it’s that some of the best hackers on the planet are now employed by governments.
This is not an entirely intuitive outcome, when you consider that hacking has traditionally been the bailiwick of a loose and more or less open source confederation of geniuses and malcontents – the sort of hive mind that is difficult to capture within the presumably small, secretive groups working at intelligence agencies.