A Flame, Duqu Test-Drive

Experiment shows how the infamous cyberespionage families can be repurposed -- with exceptions -- in other attacks

KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- The big question haunting security researchers and enterprises in the wake of the revelation of Stuxnet and cyberespionage tools Flame and Duqu is whether the malware families can be repurposed and turned against other targets. A security researcher here today shared how that's indeed possible -- but with a few limitations.

Boldizsar Bencsath, a member of the CrySys Lab that was instrumental in studying Duqu, demonstrated how he was able to inject his own proof-of-concept malware into the Duqu dropper exploit, reuse Duqu's keylogger, run Flame's Windows Update dropper to install his own malware, and reconfigure "mini-Flame" to create his own command-and-control servers.

"My idea was that nobody has taken a look at modifying and reconfiguring Stuxnet, Duqu, Flame, and SPE and turn these things against us," Bencsath said. So he decided to go for it, with the exception of Stuxnet, which he didn't end up testing due to time constraints.

One big takeaway from his experiment was that the Flame authors may have purposely limited the scope of their malware to avoid them being abused by other attackers, according to Bencsath. He created a man-in-the middle proof-of-concept with the Flame Windows Updater using a Linux server, but found that the attack only works in a local subnet, not across the Internet.

"Maybe this was intentional, and they didn't want anybody to use their tools to make even more powerful counterattacks," Bencsath said. "That's really good news."

The apparently deliberate limitations had to do with signed Windows "cabinet" files for each Windows installer in Flame. There is no way to "cheat" those files because they are signed, and there's no way to crack them, he said, which effectively ensures that the exploit remains with a subnet.

Bencsath also found that the so-called "Mini-Flame" family may have been more of a backup piece of malware in case Flame were to be discovered.

He decided to deploy Mini-Flame a.k.a. SPE as the remote control for the "infected" machines in his test. But modifying Mini-Flame and establishing the C&C server required more effort than writing a similar tool from scratch would have, he said. The code was relatively limited, he says, possibly on purpose.

"Its main capability is to execute command and to download files. It's probably mainly for installing a new version ... it has limited capabilities, so maybe it's not the best tool for espionage," he said. He believes Mini-Flame may be a backup for Flame if that C&C were taken down.

"Mini-Flame uses different C&C servers, so this makes sense," he said.

Meanwhile, Bencsath concluded that Duqu's keylogger is basically just another keylogger: "There are a large number of other solutions available on the Internet, so you don't need to use Duqu's. There is no real use to abuse the Duqu keylogger."

So what do his findings say about the potential for these malware families to be repurposed in other attacks? "I don't know what the story is or the conclusion. This [reconfiguring the malware] can be done, for sure. But how much good [it is] for the attacker would be hard to judge," he said.

"On the one hand, I successfully abused the Duqu kernel exploit and Windows Update, and, with minor modifications, I could run SPE and design a command-and-control server," he said. "And with minimal work, I could use the keylogger."

Overall, Bencsath saidhe spent about 100 to 150 hours on the project. "That is not too much time ... so it's easy to abuse the malware," he says.

He said another challenge in repurposing these attacks is that there are still some unknowns about the malware. "The public information misses some detail that is not published or analyzed," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights