Attacks/Breaches
5/29/2012
09:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Flame Espionage Malware Seeks Middle East Data

Flame malware, described as the most complex ever discovered, has the markings of Western intelligence agencies. Security researchers believe it's been gathering information from Iran, Lebanon, Syria, and other countries since at least 2010.

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known Flame, Flamer, Skywiper (sKyWIper), and Wiper appears to be even more sophisticated than the Stuxnet virus discovered in 2010, and to have long infected PCs in numerous countries including Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria.

Iran's National Computer Emergency Response Team (CERT) Monday confirmed that Iranian PCs had been targeted and infected by Flame, and said that it had created and distributed a detection and removal tool to "selected organizations and companies" earlier this month. According to the Iran CERT analysis, the malware can spread via networks and removable drives, and receives instructions from at least 10 command-and-control servers, communicating via SSH and HTTPS protocols. The malware can infect Windows XP, Vista, and 7, systems, and includes the ability to scan systems and networks, extract passwords, record audio, and capture event-triggered screen grabs.

Analysis of the malware is still ongoing, but researchers have found evidence that Flame infections date to at least 2010, and potentially as far back as 2007. Until this month, however, the malware also seemed to have evaded all commercial antivirus systems. "At the time of writing, none of the 43 tested antiviruses [sic] could detect any of the malicious components," according to the Iranian CERT analysis published Monday.

[ Expect escalating attacks this summer as London 2012 Olympics Scammers Seek Malicious Gold. ]

The malware appears to have been developed not to target industrial control systems, as with Stuxnet, but to support other information-gathering and perhaps offensive capabilities. "From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence--e-mails, documents, messages, discussions inside sensitive locations, pretty much everything," said Aleks Gostev, a security researcher at antivirus vendor Kaspersky Lab, in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

Gostev said Kaspersky began studying the malware "after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East."

Whoever created Flamer tapped extensive malware development resources and knowledge. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," according to a 63-page analysis of the malware published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS previously helped trace the origins of the Stuxnet and Duqu malware. Stuxnet was a complex piece of malware designed to sabotage the high-frequency convertor drives used in a uranium enrichment facility in Iran.

But even when compared to Stuxnet, CrySys said that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Other security researchers offered a similar assessment. "The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to an analysis of Flame published by Symantec, which was instrumental in unraveling the inner workings of Stuxnet, as well as Duqu. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives."

The malware appears to have been aimed predominantly at targets in the Middle East and Eastern Europe. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," noted Symantec, but said the scope of the malware was far larger. "Initial evidence indicates that the victims may not all be targeted for the same reason," it said. "Many appear to be targeted for individual personal activities rather than the company they are employed by."

Interestingly, the manner in which the malware was constructed makes it not unlike a crimeware toolkit. Namely, the core application taps at least 20 modules, each of which offers additional functionality and which can be easily upgraded. "The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware," according to Symantec. "The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."

Of course, data-stealing malware is nothing new, as demonstrated by Duqu, not to mention the Shady RAT Trojan application discovered last year. So, what gives Flame the hallmarks of having been developed by Western intelligence agencies? For starters, the code is written in English, while the malware's modus operandi has the hallmarks of a Western-style attack. "There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed emails with booby-trapped documents attached," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "Western actors seem to avoid email and instead use USB sticks or targeted break-ins to gain access."

Regardless of who developed the malware, what's astonishing is that it only appears to have been spotted earlier this month. "Stuxnet, Duqu, and Flame are all examples of cases where we--the antivirus industry--have failed. All of these cases were spreading undetected for extended periods of time," said Hypponen.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
6/1/2012 | 6:18:45 PM
re: Flame Espionage Malware Seeks Middle East Data
The Flame worm is another example of how well-funded and sophisticated cyber-espionage has become and the threat it poses to nation-states and economic targets. Limiting defense in depth strategies to database protection is no longer sufficient. We need to extend the same protections to unstructured data (emails, documents, messages, etc.) GĒō including encryption, strong access controls and real-time activity monitoring. I will be discussing the topic of maintaining security and control of unstructured Big Data at the upcoming Gartner conference in Washington, DC: http://bit.ly/f5LeYz
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.