Flame Wars: Stuxnet Far Surpassed by Data-Stealing Trojan
By Mark Devlin
May 28, 2012
Note: While sources are linked for reader convenience within this article, also see the complete list of references that follows.
Less than 24 months ago—at least a decade in industrial-time—we began covering Stuxnet, the wicked-advanced, Iran-targeting, DHS-scrambling, Mission Impossible sequel-inspiring Stuxnet worm. Since then, there have been Stuxnet variants that’ve caused continued concern—even panic—in some necks of the commercial and industrial woods.
Experts really didn’t believe that something more advanced—considerably more advanced than Stuxnet and its siblings—would appear on the cyber threat landscape for quite awhile. Stuxnet itself was so advanced that pundits didn’t believe that anyone would have the resources to create something much nastier any time soon.
Well, it turns out that someone does, in fact, have such enormous resources.
Discovered by Russia-based Kaspersky Lab and called the ‘Flame’ worm/Trojan (technically Worm.Win32.Flame), named due to references in the installation code…
(Image courtesy of Kaspersky Lab)
So far, as was the case with Stuxnet, Iran’s been hardest hit by infections, though other Middle Eastern countries are also racking up their own outbreaks. Interestingly, at the time this Wired Threat Level article was published on Monday, Israel/Palestine was No. 2 on infections. Computers at the Iranian Oil Ministry and the Iranian National Oil company have been hit. While it’s still very early to tell, Kaspersky Lab estimates that, so far, 1,000 to 5,000 computers have been infected with Flame.
(Image courtesy of Kaspersky Lab)
(It’s also been referred to as Skywiper by McAfee, not to be confused with the Wiper/Viper threat that’s been erasing hard drives in the Middle East, according to this piece at VentureBeat. That one caused Iran to shutdown Internet access to its entire oil infrastructure.)
We’re not talking hackers or typical, corporate espionage here. All sources and multiple experts including Eugene Kaspersky, CEO and co-founder of Kaspersky Lab are, so far, calling it ‘state-run’ cyber-espionage. The United Nations expects that Flame is the work of a ‘nation-state.’
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
When all related modules (numbering 20 plug-ins) are installed, Flame’s size is 20 MB—that’s 100 times the size of typical malicious software, according to this article at News.com.au. Is Flame really new code? It is, but it’s been lurking in silicon for awhile. So far, clues indicate that it too, like Stuxnet, has been around in very limited ways since 2007-2008 and officially fired-up in the wild in 2010—undetected.
Kaspersky is calling Flame “the most sophisticated cyberweapon ever unleashed.”
Directly from the above-linked McAfee article is Flame’s to-do list…
- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources
Perhaps even more insidiously, according to this article at CBS News, it can also…
…activate a computer's audio systems to eavesdrop on Skype calls or office chatter, for example. It can also take screenshots, log keystrokes, and - in one of its more novel functions - steal data from Bluetooth-enabled cell phones.
To badly imitate Larry the Cable Guy, yes, that’s a holy $&%! moment raht dere.
Hold on. It gets worse. Flame functionality can be modified remotely. Need different capability for a particular situation? There’s a Flame ‘app’ for that, according to a reference in this article at MyFoxBoston…
Alan Woodward, a professor of computing at the University of Surrey in England, said functions can be added or subtracted to the virus depending on what kind of espionage is desired, not unlike the way apps can be downloaded to a smartphone.
Sounds pretty serious, right? Well, it gets even more serious.
The United Nations plans to issue a ‘sharp’ but confidential warning to member states that Flame ‘…is a dangerous espionage tool that could potentially be used to attack critical infrastructure,’ according to this article at CNBC…
"This is the most serious (cyber) warning we have ever put out," said Marco Obiso, cyber security coordinator for the U.N.'s Geneva-based International Telecommunications Union.
Instead of the more commonly perceived threat of a virus, worm, or Trojan—to wipe data or bring down systems—Flame is out to grab data—a lot of it in many forms…
“It looks like the creators of Flame are simply looking for any kind of intelligence — e-mails, documents, messages, discussions inside sensitive locations, pretty much everything,” said [Alexander Gostev, Kaspersly Lab’s head of global research and analysis] in the blog post. “We have not seen any specific signs indicating a particular target such as the energy industry — making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.”
It doesn’t appear to be attacking SCADA systems. (Yet?)
How does infection take place? The usual suspects: infected USB sticks, websites, or email links—with device-to-device infections spreading via related network.
(Image courtesy of Kaspersky Lab)
Grabbing and transmitting such potentially enormous amounts of data—and getting that booty back to its sponsors—of course implies considerable computing power along with lots and lots of servers, storage, databases, and filters so that the returned data can be organized and analyzed relatively easily. According to this Times of India article…
The creators of the virus used a network of some 80 servers across Asia, Europe and North America to remotely access infected machines. They can change settings on personal computers and quietly gather the stolen data. It is the largest such Command and Control network identified to date.
Who has such resources?
Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, said he thought four countries, in no particular order, had the technological know-how to develop so sophisticated an electronic offensive: Israel, the U.S., China and Russia.
According to this article at USAToday…
Speaking Tuesday, Israel's vice premier did little to deflect suspicion about the Jewish state's possible involvement in the latest attack.
"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Israeli Vice Premier Moshe Yaalon told Army Radio when asked about Flame. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."
Maybe it’s just me but, ironically, days before Flame was discovered, it was announced that Iran has doubled its enriched-Uranium stockpile. Connection?
Kaspersky Lab commented in multiple sources that Flame’s so complex that understanding it could take up to a decade.
Meanwhile, Iran has announced that it has already developed and made available an anti-virus solution to recognize and remove flame.
It’s difficult, if not impossible, to wrap this one up on a perky note, except to say that vigilance and protection are paramount for any organization.
Let’s take a moment to reflect on another statement from Kaspersky Lab…
“No country is safe from ‘Flame’ super-virus attack.”
Man, I wish I were making this stuff up.
Meet ‘Flame,’ the Massive Spy Malware Infiltrating Iranian Computers
Wired Threat Level
“Incredibly Sophisticated” Cyber War Tool Unveiled Today, Hitting the Middle East
Iran Says Flame Virus Could Be Cause Behind “Mass Data Loss,” UN to Send Out Warning
Iran, Other Mideast States Hit by Computer Virus
My Fox Boston
UN Agency Plans Major Warning on Flame Virus Risk
Skywiper – Fanning the ‘Flames’ of Cyberwarfare
Advanced Malware Targets Middle East
The Wall Street Journal
Iran Claims Coming Up With Anti-Virus against ‘Flame’ Spy Malware
Flame Virus Abilities Expand With Bluetooth
New Cyberweapon Discovered; Iran Computers Hit
'No Country Is Safe From 'Flame' Super-Virus Attack' - Kaspersky Lab
Iran Doubles Enriched-Uranium Stockpile and Goes Beyond 20%
Flame Virus: Five Facts to Know
The Times of India
Flame ‘Redefines Cyber Espionage’
Stuxnet X20: Massive Cyber Spy Virus 'Flame' Hits Iran, Israel
Flame Virus 'Much Bigger Than Stuxnet'
XIN MSN News
"Flame" Computer Virus Strikes Middle East; Israel Speculation Continues