Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Flame Espionage Malware Seeks Middle East Data

Flame malware, described as the most complex ever discovered, has the markings of Western intelligence agencies. Security researchers believe it's been gathering information from Iran, Lebanon, Syria, and other countries since at least 2010.

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known Flame, Flamer, Skywiper (sKyWIper), and Wiper appears to be even more sophisticated than the Stuxnet virus discovered in 2010, and to have long infected PCs in numerous countries including Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria.

Iran's National Computer Emergency Response Team (CERT) Monday confirmed that Iranian PCs had been targeted and infected by Flame, and said that it had created and distributed a detection and removal tool to "selected organizations and companies" earlier this month. According to the Iran CERT analysis, the malware can spread via networks and removable drives, and receives instructions from at least 10 command-and-control servers, communicating via SSH and HTTPS protocols. The malware can infect Windows XP, Vista, and 7, systems, and includes the ability to scan systems and networks, extract passwords, record audio, and capture event-triggered screen grabs.

Analysis of the malware is still ongoing, but researchers have found evidence that Flame infections date to at least 2010, and potentially as far back as 2007. Until this month, however, the malware also seemed to have evaded all commercial antivirus systems. "At the time of writing, none of the 43 tested antiviruses [sic] could detect any of the malicious components," according to the Iranian CERT analysis published Monday.

[ Expect escalating attacks this summer as London 2012 Olympics Scammers Seek Malicious Gold. ]

The malware appears to have been developed not to target industrial control systems, as with Stuxnet, but to support other information-gathering and perhaps offensive capabilities. "From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence--e-mails, documents, messages, discussions inside sensitive locations, pretty much everything," said Aleks Gostev, a security researcher at antivirus vendor Kaspersky Lab, in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

Gostev said Kaspersky began studying the malware "after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East."

Whoever created Flamer tapped extensive malware development resources and knowledge. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," according to a 63-page analysis of the malware published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics. CrySyS previously helped trace the origins of the Stuxnet and Duqu malware. Stuxnet was a complex piece of malware designed to sabotage the high-frequency convertor drives used in a uranium enrichment facility in Iran.

But even when compared to Stuxnet, CrySys said that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Other security researchers offered a similar assessment. "The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to an analysis of Flame published by Symantec, which was instrumental in unraveling the inner workings of Stuxnet, as well as Duqu. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives."

The malware appears to have been aimed predominantly at targets in the Middle East and Eastern Europe. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry," noted Symantec, but said the scope of the malware was far larger. "Initial evidence indicates that the victims may not all be targeted for the same reason," it said. "Many appear to be targeted for individual personal activities rather than the company they are employed by."

Interestingly, the manner in which the malware was constructed makes it not unlike a crimeware toolkit. Namely, the core application taps at least 20 modules, each of which offers additional functionality and which can be easily upgraded. "The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware," according to Symantec. "The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."

Of course, data-stealing malware is nothing new, as demonstrated by Duqu, not to mention the Shady RAT Trojan application discovered last year. So, what gives Flame the hallmarks of having been developed by Western intelligence agencies? For starters, the code is written in English, while the malware's modus operandi has the hallmarks of a Western-style attack. "There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed emails with booby-trapped documents attached," said Mikko Hypponen, chief research officer at F-Secure, in a blog post. "Western actors seem to avoid email and instead use USB sticks or targeted break-ins to gain access."

Regardless of who developed the malware, what's astonishing is that it only appears to have been spotted earlier this month. "Stuxnet, Duqu, and Flame are all examples of cases where we--the antivirus industry--have failed. All of these cases were spreading undetected for extended periods of time," said Hypponen.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/1/2012 | 6:18:45 PM
re: Flame Espionage Malware Seeks Middle East Data
The Flame worm is another example of how well-funded and sophisticated cyber-espionage has become and the threat it poses to nation-states and economic targets. Limiting defense in depth strategies to database protection is no longer sufficient. We need to extend the same protections to unstructured data (emails, documents, messages, etc.) G including encryption, strong access controls and real-time activity monitoring. I will be discussing the topic of maintaining security and control of unstructured Big Data at the upcoming Gartner conference in Washington, DC: http://bit.ly/f5LeYz
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.