Attacks/Breaches
5/29/2012
09:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Flame Espionage Malware Seeks Middle East Data

Flame malware, described as the most complex ever discovered, has the markings of Western intelligence agencies. Security researchers believe it's been gathering information from Iran, Lebanon, Syria, and other countries since at least 2010.

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known Flame, Flamer, Skywiper (sKyWIper), and Wiper appears to be even more sophisticated than the Stuxnet virus discovered in 2010, and to have long infected PCs in numerous countries including Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria.

Iran's National Computer Emergency Response Team (CERT) Monday confirmed that Iranian PCs had been targeted and infected by Flame, and said that it had created and distributed a detection and removal tool to "selected organizations and companies" earlier this month. According to the Iran CERT analysis, the malware can spread via networks and removable drives, and receives instructions from at least 10 command-and-control servers, communicating via SSH and HTTPS protocols. The malware can infect Windows XP, Vista, and 7, systems, and includes the ability to scan systems and networks, extract passwords, record audio, and capture event-triggered screen grabs.

Analysis of the malware is still ongoing, but researchers have found evidence that Flame infections date to at least 2010, and potentially as far back as 2007. Until this month, however, the malware also seemed to have evaded all commercial antivirus systems. "At the time of writing, none of the 43 tested antiviruses [sic] could detect any of the malicious components," according to the Iranian CERT analysis published Monday.

[ Expect escalating attacks this summer as London 2012 Olympics Scammers Seek Malicious Gold. ]

The malware appears to have been developed not to target industrial control systems, as with Stuxnet, but to support other information-gathering and perhaps offensive capabilities. "From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence--e-mails, documents, messages, discussions inside sensitive locations, pretty much everything," said Aleks Gostev, a security researcher at antivirus vendor Kaspersky Lab, in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

Gostev said Kaspersky began studying the malware "after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East."

Whoever created Flamer tapped extensive malware development resources and knowledge. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," according to a 63-page analysis of the malware published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS previously helped trace the origins of the Stuxnet and Duqu malware. Stuxnet was a complex piece of malware designed to sabotage the high-frequency convertor drives used in a uranium enrichment facility in Iran.

But even when compared to Stuxnet, CrySys said that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Other security researchers offered a similar assessment. "The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to an analysis of Flame published by Symantec, which was instrumental in unraveling the inner workings of Stuxnet, as well as Duqu. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives."

The malware appears to have been aimed predominantly at targets in the Middle East and Eastern Europe. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," noted Symantec, but said the scope of the malware was far larger. "Initial evidence indicates that the victims may not all be targeted for the same reason," it said. "Many appear to be targeted for individual personal activities rather than the company they are employed by."

Interestingly, the manner in which the malware was constructed makes it not unlike a crimeware toolkit. Namely, the core application taps at least 20 modules, each of which offers additional functionality and which can be easily upgraded. "The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware," according to Symantec. "The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."

Of course, data-stealing malware is nothing new, as demonstrated by Duqu, not to mention the Shady RAT Trojan application discovered last year. So, what gives Flame the hallmarks of having been developed by Western intelligence agencies? For starters, the code is written in English, while the malware's modus operandi has the hallmarks of a Western-style attack. "There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed emails with booby-trapped documents attached," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "Western actors seem to avoid email and instead use USB sticks or targeted break-ins to gain access."

Regardless of who developed the malware, what's astonishing is that it only appears to have been spotted earlier this month. "Stuxnet, Duqu, and Flame are all examples of cases where we--the antivirus industry--have failed. All of these cases were spreading undetected for extended periods of time," said Hypponen.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Cryptodd
50%
50%
Cryptodd,
User Rank: Apprentice
6/1/2012 | 6:18:45 PM
re: Flame Espionage Malware Seeks Middle East Data
The Flame worm is another example of how well-funded and sophisticated cyber-espionage has become and the threat it poses to nation-states and economic targets. Limiting defense in depth strategies to database protection is no longer sufficient. We need to extend the same protections to unstructured data (emails, documents, messages, etc.) GÇô including encryption, strong access controls and real-time activity monitoring. I will be discussing the topic of maintaining security and control of unstructured Big Data at the upcoming Gartner conference in Washington, DC: http://bit.ly/f5LeYz
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio