The following blog entry is by Sharon D. Nelson, Esq., President of Sensei Enterprises, Inc., a computer forensics and legal technology firm in Fairfax, VA.
The story of the new malware known as Flame spread like (sorry) wildfire across the Net yesterday. Apparently, it is a whole lot bigger and badder than Stuxnet.
This malware is slick, sophisticated and massive. It was discovered by the Russian anti-malware firm Kasperky which said that Flame has been infecting targeted systems in Iran, Lebanon, Syria, Sudan and other Middle Eastern and North African countries for at least two years.
It is believed to be a coordinated, ongoing and state-run cyberespionage operation. Flame is designed primarily to spy on users of infected computers and can purloin data, including documents and recorded conversations. It’s astonishing capabilities are well-documented in the CNN story link at the beginning of this post.
Here is a piece of that story:
"Kaspersky Lab is calling it "one of the most complex threats ever discovered." Among Flame's many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer's near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers' command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic on an infected machine's local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.
Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems."
(If you're not saying "holy cow," you don't follow infosec. We've never seen anything remotely like Flame.)
"Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It was likely designed to sabotage centrifuges used in Iran's uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques."
But Flame doesn't resemble either of these in framework, design or functionality.
Flame is 20 megabytes in size, compared to Stuxnet's 500 kilobytes. And contains a lot of components that are not used by the code by default, but seem to provide the attackers with options to turn on post-installation.
Though experts looked to find similarities between Flame and Stuxnet, they came up empty, except for two things. An export function which allows the malware to be executed on the system and the ability to spread itself by infecting USB sticks.
Is this a case of "that which is old is new again?" Same players??? Most journalists are being a bit coy about naming the nation-state(s) involved, but their words are suggestive.
Unlike Stuxnet, however, Flame does not replicate automatically. Spreading mechanisms must be switched on by the attackers before the malware will spread. Why do that? To control the spread of the malware in the hope that it will go undetected. Stuxnet was discovered relatively easily through quick spreading.
The vulnerabilities that Flame exploits were patched by Microsoft so Flame checks to see whether targeted machines are running updated versions of anti-malware programs. Kaspersky estimates that Flame has infected about 1,000 machines.
Flame has no "kill date" but those who control it can execute the kill module which searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware and erases them.
Iran's Computer Emergency Response Team (who knew it had one?) announced on May 28th that it had developed a program to detect what it called "Flamer" (also Symantec's term for Flame) and a tool for removing it.
My personal comment: The U.S. needs to be very, very careful in the deployment of cyberwarfare tools. Clearly, we must be prepared, but where and how to deploy is much trickier, especially when we originate "attacks." We didn't like it much when we were labeled "The Ugly American" - we now risk becoming "The Ugly Cyber-American."
Contact Sharon at: firstname.lastname@example.org or 703-359-0700.