Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Flame Espionage Malware Seeks Middle East Data

Flame malware, described as the most complex ever discovered, has the markings of Western intelligence agencies. Security researchers believe it's been gathering information from Iran, Lebanon, Syria, and other countries since at least 2010.

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known Flame, Flamer, Skywiper (sKyWIper), and Wiper appears to be even more sophisticated than the Stuxnet virus discovered in 2010, and to have long infected PCs in numerous countries including Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria.

Iran's National Computer Emergency Response Team (CERT) Monday confirmed that Iranian PCs had been targeted and infected by Flame, and said that it had created and distributed a detection and removal tool to "selected organizations and companies" earlier this month. According to the Iran CERT analysis, the malware can spread via networks and removable drives, and receives instructions from at least 10 command-and-control servers, communicating via SSH and HTTPS protocols. The malware can infect Windows XP, Vista, and 7, systems, and includes the ability to scan systems and networks, extract passwords, record audio, and capture event-triggered screen grabs.

Analysis of the malware is still ongoing, but researchers have found evidence that Flame infections date to at least 2010, and potentially as far back as 2007. Until this month, however, the malware also seemed to have evaded all commercial antivirus systems. "At the time of writing, none of the 43 tested antiviruses [sic] could detect any of the malicious components," according to the Iranian CERT analysis published Monday.

[ Expect escalating attacks this summer as London 2012 Olympics Scammers Seek Malicious Gold. ]

The malware appears to have been developed not to target industrial control systems, as with Stuxnet, but to support other information-gathering and perhaps offensive capabilities. "From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence--e-mails, documents, messages, discussions inside sensitive locations, pretty much everything," said Aleks Gostev, a security researcher at antivirus vendor Kaspersky Lab, in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

Gostev said Kaspersky began studying the malware "after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East."

Whoever created Flamer tapped extensive malware development resources and knowledge. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," according to a 63-page analysis of the malware published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS previously helped trace the origins of the Stuxnet and Duqu malware. Stuxnet was a complex piece of malware designed to sabotage the high-frequency convertor drives used in a uranium enrichment facility in Iran.

But even when compared to Stuxnet, CrySys said that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Other security researchers offered a similar assessment. "The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to an analysis of Flame published by Symantec, which was instrumental in unraveling the inner workings of Stuxnet, as well as Duqu. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives."

The malware appears to have been aimed predominantly at targets in the Middle East and Eastern Europe. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," noted Symantec, but said the scope of the malware was far larger. "Initial evidence indicates that the victims may not all be targeted for the same reason," it said. "Many appear to be targeted for individual personal activities rather than the company they are employed by."

Interestingly, the manner in which the malware was constructed makes it not unlike a crimeware toolkit. Namely, the core application taps at least 20 modules, each of which offers additional functionality and which can be easily upgraded. "The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware," according to Symantec. "The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."

Of course, data-stealing malware is nothing new, as demonstrated by Duqu, not to mention the Shady RAT Trojan application discovered last year. So, what gives Flame the hallmarks of having been developed by Western intelligence agencies? For starters, the code is written in English, while the malware's modus operandi has the hallmarks of a Western-style attack. "There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed emails with booby-trapped documents attached," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "Western actors seem to avoid email and instead use USB sticks or targeted break-ins to gain access."

Regardless of who developed the malware, what's astonishing is that it only appears to have been spotted earlier this month. "Stuxnet, Duqu, and Flame are all examples of cases where we--the antivirus industry--have failed. All of these cases were spreading undetected for extended periods of time," said Hypponen.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
6/1/2012 | 6:18:45 PM
re: Flame Espionage Malware Seeks Middle East Data
The Flame worm is another example of how well-funded and sophisticated cyber-espionage has become and the threat it poses to nation-states and economic targets. Limiting defense in depth strategies to database protection is no longer sufficient. We need to extend the same protections to unstructured data (emails, documents, messages, etc.) G including encryption, strong access controls and real-time activity monitoring. I will be discussing the topic of maintaining security and control of unstructured Big Data at the upcoming Gartner conference in Washington, DC: http://bit.ly/f5LeYz
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19702
PUBLISHED: 2019-12-10
The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML do...
CVE-2019-19703
PUBLISHED: 2019-12-10
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
CVE-2012-1577
PUBLISHED: 2019-12-10
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.
CVE-2012-5620
PUBLISHED: 2019-12-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2013-1689
PUBLISHED: 2019-12-10
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.