Microsoft Corp warned that a bug in Windows allowed PCs across the Middle East to become infected with the Flame virus and released a software fix to fight the espionage tool that surfaced last week.
Security experts said they were both surprised and impressed by the approach that the attackers had used, which was to disguise Flame as a legitimate program built by Microsoft.
“I woke up to this news and I couldn’t believe it. I had to ask, ‘Am I reading this right?'” said Roel Schouwenberg of Russian security firm Kaspersky Lab, one of the researchers who helped discover the Flame virus.
Experts described the method as “elegant” and they believed it had likely been used to deliver other cyber weapons yet to be identified.
“It would be logical to assume that they would have used it somewhere else at the same time, Mikko Hypponen, chief research officer for security software maker F-Secure.
If other types of cyber weapons were indeed delivered to victim PCs using the same approach as Flame, then they will likely be exposed very quickly now that Microsoft has identified the problem, said Adam Meyers, director of intelligence for security firm CrowdStrike.
Cyber weapons that bear the fake Microsoft code will either stop working or lose some of their camouflage, said Ryan Smith, chief research scientist with security firm Accuvant.
A spokeswoman for Microsoft declined to comment on whether other viruses had exploited the same flaw in Windows or if the company’s security team was looking for similar bugs in the operating system.
Flame’s code included what is known as a digital certificate, which falsely identified it as a piece of software from Microsoft.
The creators of the virus obtained that certificate by manipulating a component of the Windows operating system known as terminal services licensing, or TS licensing, that is designed to authorize business customers to use advanced features of Windows.
A bug in TS licensing allowed the hackers to use it to create fake certificates that identified Flame as being from Microsoft, Mike Reavey, a senior director with Microsoft’s Security Response Center, said in a blog post.
He feared that other hackers might be able to copy the technique to launch more widespread attacks with other types of viruses, Reavey said.
“We continue to investigate this issue and will take any appropriate actions to help protect customers,” Reavey said in the blog post.
News of the Flame virus, which surfaced a week ago, generated headlines around the world as researchers said that technical evidence suggests it was built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010. Researchers are still gathering information about the virus.
Microsoft’s warning is available at http://blogs.technet.com/b/msrc/