Flame
Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We’ll know more in the coming days and weeks as different groups start analyzing it and publishing their results.
EDITED TO ADD (6/11): Flame’s use of spoofed Microsoft security certificates. Flame’s use of a yet unknown MD5 chosen-prefix collision attack.
Microsoft has a detailed blog post on the attack. The attackers managed to to get a valid codesigning certificate using a signer which only accepts restricted client certificates.
EDITED TO ADD (6/12): MITM attack in the worm. There’s a connection to Stuxnet. A self-destruct command was apparently sent.
M.V. • June 4, 2012 6:37 AM
I have just read this:
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
It seems thet Flame is signed with Microsoft issued Certificates.
Also according tp F-Secure Flame (and Stuxnet) fell through their nets because it didn’t try to hide. So it just looked like a regular businisses.
http://arstechnica.com/security/2012/06/why-antivirus-companies-like-mine-failed-to-catch-flame-and-stuxnet/