Didier Stevens

Monday 4 June 2012

Flame: Before and After KB2718704

Filed under: Malware — Didier Stevens @ 17:57

You probably know Microsoft issued security advisory KB2718704 to revoke Microsoft certificates present in the certificate chain of a signed Flame component.

Here are some screenshots of the signature of this Flame component (WuSetupV.exe).

Before revocation:

After revocation:

6 Comments »

  1. I would like to know how someone could stolen a digital certificate from Microsoft..

    Comment by MARCELO CARVALHO (@mfcarva) — Monday 4 June 2012 @ 19:24

  2. @mfvarca It wasn’t stolen. Here’s what Microsoft wrote in the blogpost I linked to:

    What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.

    Comment by Didier Stevens — Monday 4 June 2012 @ 19:34

  3. I hope so

    Comment by MARCELO CARVALHO (@mfcarva) — Monday 4 June 2012 @ 19:41

  4. Could you please make the SSL certificate(s) available?
    I would like to check what hashing function was used.

    I notice that your 3rd screenshot mentions md5RSA, so i suppose that the collision Microsoft mentions in http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx is with md5.

    Comment by elhoim — Tuesday 5 June 2012 @ 10:25

  5. @elhoim I’ve send you an e-mail.

    Comment by Didier Stevens — Tuesday 5 June 2012 @ 11:40

  6. […] seems to be some interest in the Authenticode signature used in some components of Flame that chain up to Microsoft’s root CA. So I decided to post the full dump of this signature. I extracted the signature from WuSetupV.exe […]

    Pingback by Flame Authenticode Dumps (KB2718704) « Didier Stevens — Wednesday 6 June 2012 @ 9:37


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: