Security researchers have published detailed information about how Flame malware spreads through a network by exploiting Microsoft's Windows Update mechanism.
Their findings answer a key question: How could Flame infect fully patched Windows 7 machines?
They learned that hackers had located and exploited a flaw in Microsoft's Terminal Services licensing certificate authority that allowed them to generate code-validating certificates "signed" by Microsoft.
Armed with fake certificates, attackers could fool a Windows 7 PC into accepting a malicious file as a Microsoft update.
But Flame doesn't really compromise Windows Update. And it doesn't infiltrate the service to feed malicious files to unsuspecting users. Instead, a rogue configuration file modifies a machine's settings to route all traffic through the Flame-infected system, creating a complex mechanism for spreading the malware.
"This is one of the most interesting and complex malicious programs we have ever seen," wrote Alexander Gostev, leader of the research and analysis team at Moscow-based Kaspersky Lab, in a blog entry.
Microsoft has taken steps to stop the spoofing of Windows Update.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.