Attacks/Breaches
5/29/2012
09:00 AM
50%
50%

Flame Espionage Malware Seeks Middle East Data

Flame malware, described as the most complex ever discovered, has the markings of Western intelligence agencies. Security researchers believe it's been gathering information from Iran, Lebanon, Syria, and other countries since at least 2010.

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known Flame, Flamer, Skywiper (sKyWIper), and Wiper appears to be even more sophisticated than the Stuxnet virus discovered in 2010, and to have long infected PCs in numerous countries including Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria.

Iran's National Computer Emergency Response Team (CERT) Monday confirmed that Iranian PCs had been targeted and infected by Flame, and said that it had created and distributed a detection and removal tool to "selected organizations and companies" earlier this month. According to the Iran CERT analysis, the malware can spread via networks and removable drives, and receives instructions from at least 10 command-and-control servers, communicating via SSH and HTTPS protocols. The malware can infect Windows XP, Vista, and 7, systems, and includes the ability to scan systems and networks, extract passwords, record audio, and capture event-triggered screen grabs.

Analysis of the malware is still ongoing, but researchers have found evidence that Flame infections date to at least 2010, and potentially as far back as 2007. Until this month, however, the malware also seemed to have evaded all commercial antivirus systems. "At the time of writing, none of the 43 tested antiviruses [sic] could detect any of the malicious components," according to the Iranian CERT analysis published Monday.

[ Expect escalating attacks this summer as London 2012 Olympics Scammers Seek Malicious Gold. ]

The malware appears to have been developed not to target industrial control systems, as with Stuxnet, but to support other information-gathering and perhaps offensive capabilities. "From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence--e-mails, documents, messages, discussions inside sensitive locations, pretty much everything," said Aleks Gostev, a security researcher at antivirus vendor Kaspersky Lab, in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

Gostev said Kaspersky began studying the malware "after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East."

Whoever created Flamer tapped extensive malware development resources and knowledge. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," according to a 63-page analysis of the malware published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS previously helped trace the origins of the Stuxnet and Duqu malware. Stuxnet was a complex piece of malware designed to sabotage the high-frequency convertor drives used in a uranium enrichment facility in Iran.

But even when compared to Stuxnet, CrySys said that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Other security researchers offered a similar assessment. "The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to an analysis of Flame published by Symantec, which was instrumental in unraveling the inner workings of Stuxnet, as well as Duqu. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives."

The malware appears to have been aimed predominantly at targets in the Middle East and Eastern Europe. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," noted Symantec, but said the scope of the malware was far larger. "Initial evidence indicates that the victims may not all be targeted for the same reason," it said. "Many appear to be targeted for individual personal activities rather than the company they are employed by."

Interestingly, the manner in which the malware was constructed makes it not unlike a crimeware toolkit. Namely, the core application taps at least 20 modules, each of which offers additional functionality and which can be easily upgraded. "The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware," according to Symantec. "The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."

Of course, data-stealing malware is nothing new, as demonstrated by Duqu, not to mention the Shady RAT Trojan application discovered last year. So, what gives Flame the hallmarks of having been developed by Western intelligence agencies? For starters, the code is written in English, while the malware's modus operandi has the hallmarks of a Western-style attack. "There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed emails with booby-trapped documents attached," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "Western actors seem to avoid email and instead use USB sticks or targeted break-ins to gain access."

Regardless of who developed the malware, what's astonishing is that it only appears to have been spotted earlier this month. "Stuxnet, Duqu, and Flame are all examples of cases where we--the antivirus industry--have failed. All of these cases were spreading undetected for extended periods of time," said Hypponen.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
6/1/2012 | 6:18:45 PM
re: Flame Espionage Malware Seeks Middle East Data
The Flame worm is another example of how well-funded and sophisticated cyber-espionage has become and the threat it poses to nation-states and economic targets. Limiting defense in depth strategies to database protection is no longer sufficient. We need to extend the same protections to unstructured data (emails, documents, messages, etc.) GÇô including encryption, strong access controls and real-time activity monitoring. I will be discussing the topic of maintaining security and control of unstructured Big Data at the upcoming Gartner conference in Washington, DC: http://bit.ly/f5LeYz
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?