This morning’s revelation that Flame used a Microsoft certificate to sign update code underscores exactly what I said earlier about the real issue being that Flame had apparently been on the victim’s systems for at least a couple of years.
Put another way, some folk lampooned Flame for being big and clunky, as opposed to Stuxnet, which was positively sleek by comparison, and certainly much more sophisticated, but in my mind the point was always that it was there, and no one has any way of knowing what else it might have done while it was there.
This certificate exploit/manipulation (I’m not sure which is more correct at this point), allowed Flame to install whatever software it wanted, whenever it wanted, and it would have looked like an official Microsoft update. For probably two years.
This gave the attackers a way to insert code into a fully-patched Windows 7 operating system, and neither Windows nor the machine’s owner would have been able to see anything suspicious.
This sort of attack is really hard to defend against.
You simply have to stop this code before it gets running, and again, the only way to do this is with integrity management and behavior monitoring.
It’s a new world, folks. Are you prepared?
Comments
Post new comment