Meet the New Cyberespionage Program: Flame
Researchers have discovered a massive piece of malware that seems to be yet another cyberweapon designed to target Iran and other Middle Eastern nations.
Remember Stuxnet, the malware that has been called the first cyber weapon, designed specifically to target Iran’s nuclear enrichment program and possibly developed by hackers in the employ of Israel, the US, or another anti-Iranian nation? Well, say hello to its younger sister.
Kaspersky Labs discovered and dubbed the malware “Flame.” Dwarfing Stuxnet in size, it is believed to be part of an ongoing, highly coordinated cyberespionage operation being run by some nation, though exactly which is unknown at this point. Though it obviously was not written by the same group that wrote Stuxnet, the complexity, geographic scope of infection, and behavior indicate that it is the work of a large organization, something on the level of a nation-state. This marks Flame as another piece in the growing arsenal of cyberweaponry and warfare.
Early analysis of Flame indicates that its primary purpose is to spy on users of infected computers, stealing documents, conversations, and keystrokes, along with opening a backdoor to allow tweaks and new functionality or new pieces of malware to be sent remotely. Kaspersky has called it “one of the most complex threats ever discovered.” It contains over 20 megabytes (a MASSIVE amount of data for a piece of malware) with all of its modules included, including multiple libraries, SQLite3 databases, encryptions of various strengths, and 20 hot-swappable plug-ins that provide various functionality for the attackers. It even includes a strikingly unique choice of language; some of the code is written in LUA, a highly uncommon choice for malware.
It appears that Flame has been operating from as early as March 2010, but it has remained undetected by antivirus companies until recently. This is very interesting, especially considering the size of the package. Generally, the larger a piece of software, the easier it is to detect as malicious, though in this case, the malware remained undiscovered for more than two years. Clues have appeared that Flame may actually date back as far as 2007, around the same time Stuxnet and its sister weapon DuQu were being coded. Due to the size and complexity of the code, however, complete analysis may take years. (For comparison, Stuxnet took more than six months to fully analyze)
Flame was discovered roughly two weeks ago when the UN International Telecommunications Union (ITU) asked Kaspersky to look into reports filed in April of computers from the Iranian Oil Ministry and the Iranian National Oil Company with malware which stole and deleted information from the machines. Researchers searched through their archive of automated reports, eventually putting together a picture of Flame that showed it infecting machines across the Middle East. It was dubbed Flame after one of the modules in the toolkit. Some of the capabilities include a module that turns on the internal microphone of the infected computer to record any conversation in the vicinity, a module that connects to nearby Bluetooth devices (if the computer is Bluetooth-capable) to siphon contact information from phones, and a module that grabs screenshots of activity such as messaging and email before sending them through a covert SSL channel to the C&C (command and control) servers.
There is also a sniffer module that collects network packet information, sending usernames and password hashes back to the attacker, which can be used to hijack admin accounts or high-level access to other machines on the network.
Because of its size, Flame transmits itself in pieces. The first piece is a 6 megabyte component containing around 6 modules, which are extracted, decompressed, decrypted, and written to various locations on the disk. The malware then connects to a C&C server to deliver information about the infected machine and receive further instructions. There are five hardcoded domains, and also an updatable list that new domains can be added to should the other domains be taken down or abandoned; while waiting, the malware sniffs traffic, takes screenshots, or performs whatever other action is needed by the attacker.
Despite its similarity to Stuxnet and DuQu in target and implications, Flame doesn’t resemble either of those two in framework used, design, or functionality. Stuxnet and DuQu were compact and efficient, though still somewhat large by malware standards. Flame is absolutely massive due to its dormant capabilities which seem to be included to give the attacker options for other attack vectors after installation; compare its 20 MB to Stuxnet’s 500 KB. Only two specific things are similar between Flame and Stuxnet; everything else is entirely different.
One of those similarities is an export function that allows the malware to be executed on the system. Also, it spreads through the autorun and .lnk vulnerabilities on the local machine, and the print spool vulnerability to spread on a local network.
However, Flame does not spread itself. The propagation methods are disabled by default, and the USB exploit is disabled immediately after infecting a USB drive inserted into the computer. It’s likely that this is a measure taken to prevent the rapid, uncontrollable spread of the malware, lessening the likelihood of discovery. In comparison, Stuxnet’s rapid and widespread infection accelerated the discovery process in that malware’s case. It’s also possible that the propagation methods were enabled by default, but were turned off after the outing of Stuxnet.
Researchers have yet to determine how an initial infection occurs before it begins to spread. There’s a possibility it’s using a zero-day exploit researchers have yet to find, because it is able to infect a fully patched machine running Windows 7.
The earliest signs of Flame trace back to a computer in Iran on March 1st of 2010, but other unique files found in Flame have been found to have been on machines in Europe on December 5th, 2007 and Dubai on April 28th, 2008.
Kaspersky Labs estimates that Flame has infected around 1,000 machines. This might seem paltry, especially in comparison to the Flashback attack that affected more than 600,000 Macs around the world, though it’s obvious that this malware isn’t the usual cybercrime type, instead being specifically targeted to a certain area of the world. Each infection Kaspersky has found appears to have been specifically targeted, with no specific industry or system targeted in particular.
In an attempt to throw researchers off their scent, the attackers manipulated the compilation date of some of the modules, making it appear that they were compiled in 1994 or 1995, when they’re using code that wasn’t released until 2010.
There is no specific kill date coded into the malware, but a kill module can be sent to the system, which erases all trace of the malware from the system, including any screenshots or other data that’s been stored waiting to be sent to a server.
Watch out for any stray blinking activity lights from your computer…