Home » Cyber » Flame ‘Redefines Cyber Espionage’

Flame ‘Redefines Cyber Espionage’

by John Reed on May 29, 2012

Yup, Stuxnet’s famous follow-on, the Flame worm is making its way through computers in the Middle East, showing that it can take snapshots of an infected computer’s display screen, record audio conversations using the computer’s microphones as well as steal normal computer files.

However, it can also be remotely re-programmed to switch from intel-gathering to offensive mode, turning itself into a cyber weapon capable of disrupting its targets functions, much like the Stuxnet virus did to Iran’s Uranium enrichment centrifuges.

All of these advanced features in one worm led Internet security firm Kaspersky to call the arrival of Flame, “another phase in this [cyber ]war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Or as former DT cyber writer Kevin Coleman quoted another analyst as saying, “Flame redefines cyber espionage, it makes all the other software in that category look like cheap toys!”

Below, you’ll find Iran’s cyber emergency response team’s statement on Flame. Keep in mind that Tehran’s nuke program is the likely target of the worm that some experts say may take years to fully dissect.

Having conducted multiple investigations during the last few months, the Maher center, the Iranian CERTCC, following the continuous research on the targeted attacks of Stuxnet and Duqu since 2010, announces the latest detection of this attack for the very first time.
The attack, codenamed “Flame” is launched by a new malware. The name “Flame” comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals. At the time of writing, none of the 43 tested antiviruses could detect any of the malicious components. Nevertheless, a detector was created by Maher center and delivered to selected organizations and companies in first days of May. And now a removal tool is ready to be delivered.
Some features of the malware are as follows:
·         Distribution via removable medias
·         Distribution through local networks
·         Network sniffing, detecting network resources and collecting lists of vulnerable passwords
·         Scanning the disk of infected system looking for specific extensions and contents
·         Creating series of user’s screen captures when some specific processes or windows are active
·         Using the infected system’s attached microphone to record the environment sounds
·         Transferring saved data to control servers
·         Using more than 10 domains as C&C servers
·         Establishment of secure connection with C&C servers through SSH and HTTPS protocols
·         Bypassing tens of known antiviruses, anti malware and other security software
·         Capable of infecting Windows Xp, Vista and 7 operating systems
·         Infecting large scale local networks
According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and Duqu targeted attacks.
The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat.

 

Share |

{ 27 comments… read them below or add one }

Hunter76 May 29, 2012 at 5:50 pm

So how did they get the source code (which presumably only resides in the secret lab of the hacking agency), as opposed to the machine code in the infected computers?

Reply

Ben May 29, 2012 at 8:42 pm

Thats why i think they dont actually have a fix yet…. just a bluff. Or possibly .flame has a fake drawback… appears to be gone and normal activities resume until it reemerges with the prime data.

Reply

Confused Redditor May 29, 2012 at 9:07 pm

Reverse engineering of the code? Also, interesting thing to point out, Kaspersky found this by accident while trying to chase down another virus

Reply

NathanS May 29, 2012 at 9:16 pm

You can decompile an executable. After-all, if a micro-processor can interpret and execute a command given to it, then so can the security experts. I've had to do this at a commercial level (when a company has lost its source code), but never at this kind of level.

Usually binaries with sensitive information go through a process called 'obfuscation' which makes reverse engineering much more difficult and time consuming – but not impossible.

Reply

Jared May 30, 2012 at 8:40 am

They probably use IDA Pro Advanced and Hexrays Decompilers like most of the reversing crowd.

Reply

Bill May 29, 2012 at 7:05 pm

Serves governments right for using a bug ridden OS like Windows. Who's stupid idea what that anyways?

Reply

4FingerOfBourbon May 29, 2012 at 7:18 pm

lol really…

Reply

Prodozul May 29, 2012 at 8:08 pm

Just out of curiousity what OS would you have used?

Linux?
iOS?

Reply

Adam May 29, 2012 at 8:47 pm

Stripped down unix.

Reply

Joeblow May 30, 2012 at 4:15 am
blight_ May 30, 2012 at 10:25 am

Old version of DOS. Eight character naming schemes are enough for me.

Reply

Lance May 29, 2012 at 8:40 pm

Let the Geek wars begin.

Reply

Viking USofA May 29, 2012 at 9:52 pm

The systems you are referring to are known in the industry as Trusted Operating Systems and can approach $100k a pop. Why use the great Satan's software anyway? Of course every country could always develop their own TOS and or OS. Yeah, check that short list out.

Reply

sev May 30, 2012 at 12:10 am

China is doing that as we speak.Then their systems will be that much safer in the event of war with the US, whose electronics THEY manufacture

Reply

how now brown cow May 31, 2012 at 9:02 pm

But America writes all the firmware and operating systems that run on what they build. Also while a lot of our computer hardware is manufactured in Asia, it is mostly in places like Thailand, not China.

Reply

moronoxy??what? December 3, 2013 at 7:26 am

And who REALLY OWNS those plants? :-) or, how difficult do you think it is that they Chinese could infiltrate those plants and sabotage the hardware? With all the spare money they have to throw around, bribe, etc, …..hahahahahaha…..not that difficult at all IMHO. :-)

Reply

Joeblow May 30, 2012 at 4:14 am

Initial reports are that traces of this spyware have been around since perhaps as far back as 2007. If they are just discovering this now, who knows what other kind of crud is out there undetected? Are there viruses out there even more sophisticated?

And if there are, does anyone seriously believe that corporate will do anything about it? Corporations will not patch because of the expense. They will simply factor it in as the cost of doing business and past on the cost to the consumers.

Reply

smr June 7, 2012 at 8:02 am

"If they are just discovering this now, who knows what other kind of crud is out there undetected?"

Bits and pieces of this software (such as a dropper component) have been detected and blocked since 2007. It's only now that someone managed to link up all the dots, if you will, get a complete picture.

"Are there viruses out there even more sophisticated?"
Yes. This is old, if carefully built.

Reply

Nenad May 30, 2012 at 5:14 am

I hope this will do the job with the Iran, and no war will be needed. It would be best possible outcome, sadly still unlikely one.

Reply

TonyC May 30, 2012 at 6:25 am

Moral of this story, "Don't put any sensitive information on the internet or systems connected to the internet". Doesn't matter how sophisticated the anti-virus softwar ehas become, they are always playing catch up.

Reply

WW Rutland May 30, 2012 at 8:23 am

OH S**t, will it eat my porn?

Reply

Jared May 30, 2012 at 8:42 am

No, it will splice in swap.avi and 2girls1cup into all of your porn at the worst possible time.

Reply

Jayson May 30, 2012 at 10:14 am

and then post it to your facebook

Reply

Dave M May 30, 2012 at 11:50 pm

It's even worse, it can turn your webcam and mic on to record you enjoying it.

Reply

platypusfriend May 30, 2012 at 10:27 am

My first thought was that, however disassembled or reverse engineered, the source code shown in the image of this article is a Lua script that "scripts" the main code. Anyone else?

Reply

blight_ May 31, 2012 at 4:11 pm

Some other groups have noticed the choice of Lua, which was rather strange…

Reply

smr June 7, 2012 at 8:06 am

Yes, it is LUA. Apparently the idea is to be able to modify behaviour on the fly, with minimal coding effort and without access to the code of the major components. This is the kind of stuff you'd do when you want to compartmentalize – the people customizing this software for agents who are actually in the field may be low-level hackers, possibly even for-hire.

Reply

Leave a Comment

Previous post:

Next post: