A Flame, Duqu Test-Drive

Experiment shows how the infamous cyberespionage families can be repurposed -- with exceptions -- in other attacks
KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- The big question haunting security researchers and enterprises in the wake of the revelation of Stuxnet and cyberespionage tools Flame and Duqu is whether the malware families can be repurposed and turned against other targets. A security researcher here today shared how that's indeed possible -- but with a few limitations.

Boldizsar Bencsath, a member of the CrySys Lab that was instrumental in studying Duqu, demonstrated how he was able to inject his own proof-of-concept malware into the Duqu dropper exploit, reuse Duqu's keylogger, run Flame's Windows Update dropper to install his own malware, and reconfigure "mini-Flame" to create his own command-and-control servers.

"My idea was that nobody has taken a look at modifying and reconfiguring Stuxnet, Duqu, Flame, and SPE and turn these things against us," Bencsath said. So he decided to go for it, with the exception of Stuxnet, which he didn't end up testing due to time constraints.

One big takeaway from his experiment was that the Flame authors may have purposely limited the scope of their malware to avoid them being abused by other attackers, according to Bencsath. He created a man-in-the middle proof-of-concept with the Flame Windows Updater using a Linux server, but found that the attack only works in a local subnet, not across the Internet.

"Maybe this was intentional, and they didn't want anybody to use their tools to make even more powerful counterattacks," Bencsath said. "That's really good news."

The apparently deliberate limitations had to do with signed Windows "cabinet" files for each Windows installer in Flame. There is no way to "cheat" those files because they are signed, and there's no way to crack them, he said, which effectively ensures that the exploit remains with a subnet.

Bencsath also found that the so-called "Mini-Flame" family may have been more of a backup piece of malware in case Flame were to be discovered.

He decided to deploy Mini-Flame a.k.a. SPE as the remote control for the "infected" machines in his test. But modifying Mini-Flame and establishing the C&C server required more effort than writing a similar tool from scratch would have, he said. The code was relatively limited, he says, possibly on purpose.

"Its main capability is to execute command and to download files. It's probably mainly for installing a new version ... it has limited capabilities, so maybe it's not the best tool for espionage," he said. He believes Mini-Flame may be a backup for Flame if that C&C were taken down.

"Mini-Flame uses different C&C servers, so this makes sense," he said.

Meanwhile, Bencsath concluded that Duqu's keylogger is basically just another keylogger: "There are a large number of other solutions available on the Internet, so you don't need to use Duqu's. There is no real use to abuse the Duqu keylogger."

So what do his findings say about the potential for these malware families to be repurposed in other attacks? "I don't know what the story is or the conclusion. This [reconfiguring the malware] can be done, for sure. But how much good [it is] for the attacker would be hard to judge," he said.

"On the one hand, I successfully abused the Duqu kernel exploit and Windows Update, and, with minor modifications, I could run SPE and design a command-and-control server," he said. "And with minimal work, I could use the keylogger."

Overall, Bencsath saidhe spent about 100 to 150 hours on the project. "That is not too much time ... so it's easy to abuse the malware," he says.

He said another challenge in repurposing these attacks is that there are still some unknowns about the malware. "The public information misses some detail that is not published or analyzed," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.