Attacks/Breaches
5/30/2012
12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Flame FAQ: 11 Facts About Complex Malware

Size of Flame dwarfs existing spyware, keyloggers, and other malware. Drill down for a closer look at the crucial technology and military issues.

The Flame--a.k.a. Flamer, Skywiper (sKyWIper)--malware discovered earlier this month is earning accolades from security researchers for being the largest, most complex piece of attack code ever spotted in the wild.

But what's also remarkable about the Flame malware is that although it's been infecting PCs since at least 2010, and possibly since 2007, it appears to have been used in only a scant number of highly targeted attacks.

What are the implications of that revelation, and what do we currently know about the malware? Here are 11 related facts:

1) Flame's size highlights a powerful malware arsenal. For starters, Flame wins awards based on its sheer size. "The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB," reads a blog post from Websense. "One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine." (LUA is the scripting language that was used to build many parts of the malware.)

[ How many unseen attacks are nation-sponsored? Read more at Flame's Big Question: What Else Is Lurking? ]

2) Flame is focused on the Middle East. According to Symantec, the most Flame infections were seen in the Palestinian West Bank, Hungary, Iran, and Lebanon. Interestingly, however, infections have also been reported in Austria, Russia, Hong Kong, and the United Arab Emirates. Security experts said that the infection pattern along with the malware's stealth suggest that it was developed by one or more Western intelligence agencies.

3) Don't expect immediate answers to questions about Flame. Unraveling Flame's inner workings and purpose will take weeks, or more likely, months. "Flamer is the largest piece of malware that we've ever analyzed," said Vikram Thakur, principal research manager at Symantec Security Response. "It could take weeks, if not months, to actually go through the whole thing." This is not least because the malware uses an unprecedented amount of encryption to help disguise its activities.

4) Flame studies installed security products, smartphones, and remote access. Flame's 20-odd modules offer some powerful attack capabilities. "One of the Flame's components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victim's computer," read an analysis of a single Flame module published Wednesday by BAE Systems.

"The malicious DLL queries a number of the registry entries," it continued. For example, the malware looks to see if various types of security software--Tiny Personal Firewall, Kaspersky Antivirus, as well as various McAfee, Symantec, and ZoneAlarm products--are installed. It also looks for clues about the type of mobile phone the PC owner uses. Finally, it actively looks for any stored usernames and passwords related to a number of well-known FTP, SSH, and Virtual Network Computing clients, as well as remote-control software. "Revealing credentials for the aforementioned software exposes extra risks such as ability to connect to the compromised system remotely (via VNC) or compromise/infect/deface web servers managed via one of the enlisted FTP client solutions," said BAE.

5) Flame records extensive system information. According to BAE, the single Flame component it studied can audit almost any service, file, or application installed on the PC. It can also retrieve website cookies, record all services running on the PC, gather a list of all files and directories associated with program files, retrieve the installed version numbers for Outlook Express, Outlook, Microsoft Word, and Internet Explorer, see which USB devices are installed, map the network neighborhood, and retrieve from the Internet cache a list of all URLs visited. In addition, the malware "retrieves SMTP/POP3 server information and also account information/credentials for all Microsoft Outlook profiles," said BAE. All that information would give would-be attackers further techniques for attacking the PC or the information it stores.

6) Flame targets the same bugs as Stuxnet and Duqu. Is Flame related to Duqu or Stuxnet? "So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061," said Websense. "Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks." The first bug involves a vulnerability in the Windows Shell, which enables an attacker to execute arbitrary code. The second bug, in the Print Spooler Service, would likewise allow remote code execution in Windows XP and privilege elevation in other Windows operating systems.

Microsoft patched both vulnerabilities in 2010. But while Stuxnet and Duqu also used the vulnerabilities, multiple security experts have cautioned that malware writers tend to emulate each other. Hence that's no proof that there's any direct link between the different malware.

7) Infections remain rare. The Flame malware has apparently been used only in highly targeted attacks. In fact, Symantec researchers think that only 1,000--or perhaps a few thousand--PCs were ever infected by the malware.

8) Flame's scale is unique, but its capabilities are not. Some security experts don't see what all the Flame fuss is about. "Espionage attacks aimed at specific geographies or industries are nothing new. Look at LuckyCat, IXESHE, or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom-written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of a modular information-stealing Trojan," said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "In fact, a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT," he said. "Complexity of code is also nothing new."

9) Flame C&C servers appear to be offline. The media attention paid to Flame may have already had repercussions in the form of the command and control (C&C) servers used to issue commands to the malware on infected PCs. Notably, an analysis of one of Flame's DLL files--a module for the malware--conducted using the Cuckoo Sandbox malware analysis system found that all the C&Cs seem offline or sinkholed now. Sinkholing refers to a technique used by security researchers to redirect botnet communications, thus allowing them to study infections.

10) Flame suggests espionage is ascendant. While the full extent of Flame's capabilities is still being unraveled, pronouncements are already being issued over its impact on the information security landscape. According to James Todd, the European technical lead for FireEye, "Flame has done for espionage what Stuxnet did for physical infrastructure."

Flame being in circulation for two years before being detected highlights how businesses must search carefully for any ongoing breaches they haven't detected. "The next big trend in IT security was always going to be cyber-espionage, given the potentially huge rewards for the taking," said Todd, via email. "This is particularly true if hackers can infiltrate information relating to policy, patents, intellectual property, and R&D plans. As such, any organization--or nation for that matter--with significant investments in R&D or IP must up the ante on preemptive security before it is too late."

"More and more, we see enterprises assuming they've been compromised," said Rob Rachwald, director of security strategy at Imperva, in a blog post.

11) Malware could rewrite military doctrine. Given the Flame capabilities on display, especially in the wake of Stuxnet, expect to see changes in military circles. "Cyberattacks will force adversaries to minimize their electronic productivity," said Rachwald. "It took nearly a decade to find Osama Bin Laden since he went completely off grid. ... Does this mean that scientists developing weapons will resort to crayons and paper only? Probably not, but today life very likely got a lot harder for scientists working on military projects worldwide."

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio