In a blog post made via blogs.technet.com, Microsoft Senior Director Mike Reavey explained how the virus was capable of exploiting Microsoft software by relying on unauthorized digital certificates.
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft,” commented Reavey.
Meanwhile, outside of ‘Flame,’ it’s a method that could have been picked up by other hackers had the software company not taken new steps.
To protect against similar viruses, Microsoft issued a security advisory to revoke privileges for certificates . Accounted for were two certificates for Enforced Licensing Intermediate PCA and one for Enforced Licensing Registration Authority CA.
When detailing the virus last week, Kaspersky Lab noted that it likely originated from a nation state and referred to it as “the most sophisticated cyber weapon yet unleashed.” An infection is so massive that it represents 20MB when fully enacted on a computer system.
Also notable is Flame’s ability to perform complex operations that allow it to snap screenshots and record audio conversations, among a variety of other capabilities.
The ‘Flame’ virus mostly affects middle-eastern countries including Iran. It’s reminiscent of Stuxnet, a similar worm that previously targeted Iran’s nuclear program. On Friday, the New York Times reported that Stuxnet was developed by the U.S. in coordination with Israel.