Experts show how ‘Flame’ malware fakes Windows – Computerworld

http://www.computerworld.com/s/article/9228127/Experts_show_how_Flame_malware_fakes_Windows

This malware is indeed a clever devil, and the Kaspersky article here dives into further detail, describing the setup and use of the man-in-the-middle vector employed to further the infection.  I did note in the Kaspersky article that the fake Windows Update server looks for a PHP extension, which struck me just a bit funny and a little bit shoddy on behalf of the developers.  Granted it’s background and not highly visible (as evidenced by the fact that this information hadn’t been discovered until now), but if I were to notice PHP in use with a Microsoft service, I think I’d be inclined to say “That’s interesting… why not ASP?”

That’s the reason this strikes me as a shoddy oversight in what has otherwise (at least from the small amount I’ve had the time to read on the topic) been a very polished and well-built platform.  Unless something has changed significantly in the past couple of years since I’ve really played with these things, a couple of minor modifications to the config files for the web server would have allowed the files to easily have been served with an ASP extension, yet still have been processed server side by PHP.  Just strikes me as a little bit out of character.