Flame: computer virus more complex than Stuxnet

Discussion in 'Strategic Forces' started by LurkerBaba, May 31, 2012.

  1. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    Flame is incredibly complex, it can record keystrokes, take screenshots of IM conversations and record audio ! Worse, it wasn't detected for 5 whole years !

    ----

    "The variety of spy tools that Flame employs is astonishing. According to Kaspersky, "of course, other malware exists which can record audio, but key here is Flame's completeness -- the ability to steal data in so many different ways." It also takes snapshots of instant messages and records a user's keystrokes. Flame is remotely controlled through a command and control server and it's highly dynamic. In other words, it has been updated remotely since it was first launched at least as early as March 2010 and its "creators are constantly introducing changes into different modules" which expand its functionality. Now that it has been detected, the Iranian CERT apparently offers infected users a removal tool."

    Flame: world's most complex computer virus exposed - Telegraph

    ---

    Some are speculating that Israel is behind this. Iran has been the main target

    [​IMG]

    ---

    Iran National CERT (MAHER) has released a removal tool

    مركز مدیریت امداد و هماهنگی عملیات رخدادهای رایانه ای:: Identification of a New Targeted Cyber-Attack
     
  2.  
  3. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    Article from FP on Flame

    ---


    Stuxnet was a monster computer virus. Flame is 20 times larger -- and it's been out there, listening, for years.


    Full article: Flame Thrower - By Tim Maurer and David Weinstein | Foreign Policy
     
    kaustav2001 and Kunal Biswas like this.
  4. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    Some public sources:

    Over the past few days, we have been analyzing a potential new threat that has been operating discreetly for at least two years. We were contacted about this threat by Crysys who have released their own analysis. (The threat is referred to by CrySys as 'Skywiper'). There are indications that W32.Flamer is also the same threat as described recently by the Iranian national cert. Our analysis of the retrieved samples reveals complex code that utilizes several components. At first glance, the executable appears to be benign but further inspection reveals cleverly concealed malicious functionality.

    The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.

    While our analysis is currently ongoing, the primary functionality is to obtain information and data. Initial telemetry indicates that the targets of this threat are located primarily in Eastern Europe and the Middle East. The industry sectors or affiliations of the individuals targeted are currently unclear. However, initial evidence indicates that the victims may not all be targeted for the same reason. Many appear to be targeted for individual personal activities rather than the company they are employed by. Symantec detects this threat as W32.Flamer.



    [​IMG]


    Figure 1. Timeline of threat activity


    In addition to our initial telemetry, there are unconfirmed reports of infections dating back to 2007 as well.
    We expect to be able to confirm these reports in the coming days

    [​IMG]

    Figure 2. Distribution of the threat


    Based on the number of compromised computers, the primary targets of this threat are located in the Palestinian West Bank, Hungary, Iran, and Lebanon. However, we have additional reports in Austria, Russia, Hong Kong, and the United Arab Emirates. These additional reports may represent a targeted computer that was temporarily taken to another region—for example, a laptop. Interestingly, in addition to particular organizations being targeted, many of the compromised computers appear to be personal computers being used from home Internet connections.


    http://www.symantec.com/connect/blo...cated-and-discreet-threat-targets-middle-east
     
    LETHALFORCE and Kunal Biswas like this.
  5. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    From Kaspersky Lab:

    Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.

    Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators
    . Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
    ....

    ...

    What are the notable info-stealing features of Flame?

    Although we are still analyzing the different modules, Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library.

    Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule. We are still analyzing this; more information will be available on our website soon.

    The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server - just like the audio recordings.
    We are still analyzing this component and will post more information when it becomes available.


    When was Flame created?

    The creators of Flame specially changed the dates of creation of the files in order that any investigators couldn’t establish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it’s clear that these are false dates.

    We consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active development to date


    Who is responsible?

    There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.

    Why are they doing it?


    To systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on. Here’s a map of the top 7 affected countries:

    [​IMG]

    Was this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in common?


    In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu.

    The Flame: Questions and Answers - Securelist
     
    kaustav2001 and Kunal Biswas like this.
  6. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    From Iran National CERT (MAHER):

    مركز مدیریت امداد و هماهنگی عملیات رخدادهای رایانه ای:: Identification of a New Targeted Cyber-Attack
     
    Kunal Biswas likes this.
  7. LurkerBaba

    LurkerBaba Staff Administrator

    Joined:
    Jul 2, 2010
    Messages:
    6,769
    Likes Received:
    3,678
    Location:
    India
    Speculation

    ....

    Flame: Israel, U.S. Behind Super Cyber Spy Tool? - ABC News
     
    Kunal Biswas likes this.
  8. Oracle

    Oracle New Member

    Joined:
    Mar 31, 2010
    Messages:
    8,120
    Likes Received:
    1,541
    Location:
    Bangalore, India
    Coders Behind the Flame Malware Left Incriminating Clues on Control Servers

    [​IMG]

    The attackers behind the nation-state espionage tool known as Flame accidentally left behind tantalizing clues that provide information about their identity and that suggest the attack began earlier and was more widespread than previously believed.

    Researchers have also uncovered evidence that the attackers may have produced at least three other pieces of malware or variants of Flame that are still undiscovered.

    The information comes from clues the attackers inadvertently left behind on two command-and-control servers they used to communicate with infected machines and steal gigabytes of data from them.

    Flame, also known as Flamer, is a highly sophisticated espionage tool discovered earlier this year that targeted machines primarily in Iran and other parts of the Middle East. It’s believed to have been created by the United States and Israel, who are also believed to be behind the groundbreaking Stuxnet worm that aimed to cripple centrifuges used in Iran’s nuclear program.

    The new clues show that work on parts of the Flame operation began as early as December 2006, nearly six years before Flame was discovered this year, and that more than 10,000 machines are believed to have been infected with the malware.

    Although the 2006 date refers to the development of code used in the command-and-control servers and doesn’t necessarily mean the malware itself was in the wild during all of this time, Vikram Thakur, a researcher with Symantec Security Response, says the details are still troubling.

    “For us to know that a malware campaign lasted this long and was flying under the radar for everyone in the community, it’s a little concerning,” he says. “It’s a very targeted attack, but it’s a very large-scale targeted attack.”

    The new details about the operation were left behind despite obvious efforts the attackers made to wipe the servers of forensic evidence, according to reports released Monday by researchers from Symantec in the U.S. and from Kaspersky Lab in Russia.

    The two security firms conducted the research in partnership with BUND-CERT, the federal computer emergency response team in Germany, and ITU-IMPACT, the cybersecurity arm of the United Nation’s International Telecommunications Union.

    Although the attackers clearly were part of a sophisticated nation-state operation, they made a number of mistakes that resulted in traces of their activity being left behind.

    According to data gleaned from the two servers the researchers examined:

    At least four programmers developed code for the servers and left their nicknames in the source code.
    One of the servers communicated with more than 5,000 victim machines during just a one-week period last May, suggesting the total victims exceed 10,000.
    The infections didn’t occur at once, but focused on different groups of targets in various countries at different times; one server focused primarily on targets in Iran and Sudan.
    The attackers stole massive amounts of data – at least 5.5 gigabytes of stolen data inadvertently left behind on one of the servers was collected in one week.
    The four pieces of malware used different custom protocols to communicate with the servers.
    The attackers used a number of means to secure their operation as well as the data they stole – although they left behind gigabytes of purloined data, it was encrypted using a public key stored in a database on the servers and an unknown private key, preventing the researchers and anyone else without the private key from reading it.
    The attackers, perhaps suspecting that their operation was about to be uncovered last May, attempted a cleanup operation to wipe the Flame malware from infected machines.

    Flame was discovered by Kaspersky and publicly disclosed on May 28. Kaspersky said at the time that the malware had targeted systems in Iran, Lebanon, Syria, Sudan, Israel and the Palestinian Territories, as well as other countries in the Middle East and North Africa. Kaspersky estimated at the time that the malware had infected about 1,000 machines.

    The malware is highly modular and can spread via infected USB sticks or a sophisticated exploit and man-in-the-middle attack that hijacks the Windows Update mechanism to deliver the malware to new victims as if it were legitimate code signed by Microsoft.

    Once on machines, Flame can steal files and record keystrokes, as well as turn on the internal microphone of a machine to record conversations conducted over Skype or in the vicinity of the infected computer.

    Previous research on Flame conducted by Kaspersky found that Flame had been operating in the wild undetected since at least March 2010 and that it might have been developed in 2007.

    But the new evidence indicates that development of code for the command-and-control servers – servers designed to communicate with machines infected with Flame – began at least as early as December 2006. It was created by at least four programmers, who left their nicknames in the source code.

    The Flame operation used numerous servers for its commmand-and-control activities, but the researchers were able to examine only two of them.

    The first server was set up on March 25 and operated until April 2, during which it communicated with infected machines from 5,377 unique IP addresses from more than a dozen countries. Of these, 3,702 IP addresses were in Iran. The country with the second largest number was Sudan, with 1,280 hits. The remaining countries each had fewer than 100 infections.

    [​IMG]

    The researchers were able to uncover the information, because the attackers had made a simple mistake.

    “The attackers played with the server settings and managed to lock themselves out of it,” says Costin Raiu, senior security researcher for Kaspersky.

    Left behind on the locked server were the http server logs, showing all of the connections that came in from infected machines. Researchers also found about 5.7 gigabytes of data stored in a compressed and encrypted file, which the attackers had stolen from victims’ machines.

    “If their collection of 6 gigabytes of data in a span of ten days in March is indicative of how prevalent their campaign was for multiple years in the past, they probably have terabytes of information that they collected from thousands and thousands of people across the globe,” says Symantec’s Thakur.

    The second server was set up on May 18, 2012, after Kaspersky had discovered Flame, but before the company had publicly disclosed its existence. The server was set up specifically to deliver a kill module, called “browse32,” to any infected machine that connected to it, in order to delete any trace of Flame on the machine. It may have been set up after the attackers realized they’d been caught.

    Raiu says the attackers may have realized Flame had been discovered after a honeypot machine belonging to Kaspersky reached out to the attackers’ server.

    “Around the 12th of May, we connected a virtual machine infected by Flame to the internet, and the virtual machine connected to the [attackers'] command-and-control servers,” he says.

    Five hours after the server with the kill module was set up on the 18th, it received its first hit from a machine infected with Flame. The server remained in operation only about a week, communicating with a few hundred infected machines, says Symantec.

    Four Coders

    The four programmers who developed code for the servers and left their nicknames in the source code, were part of a sophisticated operation that likely included multiple teams – a coordinating team tasked with choosing the specific targets to attack and examining all of the stolen data that came in from them; a team responsible for writing the malware and command modules; and a team of operators for setting up and maintaining the command-and-control servers, sending command modules out to infected machines and managing the stolen data once it came in.

    Symantec and Kaspersky have redacted the nicknames of the four coders and identified them only by the first initial of their nicknames – D, H, O, and R.

    [​IMG]

    Thakur said he’s never seen nicknames left in malware except in low-level malware that’s unsophisticated. But the coders in the Flame operation were clearly a higher caliber than this.

    “Maybe they just never expected their server to reach the wrong hands,” he says. “But considering that Flamer has links to Stuxnet and DuQu, we would have expected not to see these names. But, at the end of the day, they’re human.”

    Of the four coders, “D” and “H” were the more significant players, since they handled interactions with infected computers, and were responsible for creating two of the four protocols the servers used to communicate with malware on infected machines.

    But “H” was the most experienced of the group, responsible for some of the encryption used in the operation. Raiu calls him a “master of encryption,” and notes that he was responsible for implementing the encryption of data stolen from victim machines.

    “He coded some very smart patches and implemented complex logic,” Kaspersky writes in its report. “We think [he] was most likely a team lead.”

    “O” and “R” worked on a MySQL database used in the operation ,as well as the development of cleanup files that were used to wipe data from the servers.

    Based on timestamps of activity on the servers, Symantec thinks the coders were based in Europe, the Middle East or Africa.

    Command-and-Control Server Setup

    The command-and-control servers hosted a custom web application the programmers developed — called NewsforYou — to communicate with infected machines. Through the application’s control panel, the attackers could send new modules to infected clients and retrieve stolen data.

    The password for the control panel was stored as an MD5 hash, which the researchers were unable to crack.

    The control panel was disguised to resemble a content management system that a news organization or a blog publisher might use, so that any outsider who gained access to the panel wouldn’t suspect its real purpose.

    While command-and-control servers used by cybercriminal groups generally have showy control panels with the words “bot” or “botnet” clearly labeled on them, making their malicious purpose immediately apparent, the control panel used in the Flame operation was barebones in design and used euphemistic terms to conceal its real purpose.

    For example, file directories for storing malicious modules to send to infected machines were named “News” and “Ads.” The “News” directory held modules meant to be sent to every machine, while “Ads” held modules intended only for select machines. Data purloined from infected machines was stored in a directory called “Entries.”

    The attackers also used a number of security features to prevent an unauthorized party who gained control of the server from sending arbitrary commands to infected machines or reading stolen data.

    Often, criminal control panels use a simple point-and-click menu of options for the attackers to send commands to infected machine. But the Flame operation required the attackers to create a command module, place it in a file with a specially formatted name and upload it to the server. The server would then parse the contents of the file, and place the module in the appropriate location, from where it could be pushed out to infected machines.

    Symantec said this complicated style, which prevented server operators from knowing what was in the modules they were sending to victims, had the hallmarks of “military and/or intelligence operations,” rather than criminal operations.

    Similarly, data stolen from victim machines could only be decrypted with a private key that was not stored on the server, likely so that server operators could not read the data.

    The researchers found evidence that the command-and-control servers were set up to communicate with at least four pieces of malware.

    The attackers refer to them, in the order they were created, as SP, SPE, FL, IP. “FL” is known to refer to Flame, a name that Kaspersky gave the malware back in May, based on the name of one of the main modules in it (Symantec refers to the same malware Flamer). IP is the newest malware.

    Aside from Flame, none of the other three pieces of malware have been discovered yet, as far as the researchers know. But according to Raiu, they know that SPE is in the wild because a handful of machines infected with it contacted a sinkhole that Kaspersky set up in June to communicate with machines infected with Flame. They were surprised when malware that was not Flame contacted the sinkhole as soon as it went online. They only recently realized it was SPE. The SPE infections came in from Lebanon and Iran.

    Each of the four pieces of malware uses one of three protocols to communicate with the command-and-control server – Old Protocol, Old E Protocol, or SignUp Protocol. A fourth protocol, called Red Protocol, was being developed by the operators but had not been completed yet. Presumably, the attackers planned to use this protocol with yet a fifth piece of malware.

    Clean-Up and Coding Gaffes

    The attackers took a number of steps to delete evidence of their activity on the servers, but made a number of mistakes that left telling clues behind.

    They used a script called LogWiper.sh to disable certain logging services and delete any logs already created by those services. At the end of the script, there was even an instruction to delete the LogWiper script itself. But the researchers discovered the script contained an error that prevented this from occurring. The script indicated that a file named logging.sh should be deleted, not LogWiper.sh, leaving the script behind on the server for the researchers to find.

    They also had a script designed to delete temporary files at a regularly scheduled time each day, but the script had a typo in the file path, so that it couldn’t find the tool it needed to erase the files.

    Wired
     
  9. Apollyon

    Apollyon Führer Senior Member

    Joined:
    Nov 13, 2011
    Messages:
    2,600
    Likes Received:
    2,380
    Location:
    आर्यावर्त
    Re: Coders Behind the Flame Malware Left Incriminating Clues on Control Servers

    [​IMG]
     
  10. SajeevJino

    SajeevJino Long walk Elite Member

    Joined:
    Feb 21, 2012
    Messages:
    5,654
    Likes Received:
    3,032
    Location:
    Inside a Cage
    Global cyber war: New Flame-linked malware detected

    A new cyber espionage program linked to the notorious Flame and Gauss malware has been detected by Russia's Kaspersky Lab. The anti-virus giant’s chief warns that global cyber warfare is in “full swing” and will probably escalate in 2013.


    [​IMG]

    The virus, dubbed miniFlame, and also known as SPE, has already infected computers in Iran, Lebanon, France, the United States and Lithuania. It was discovered in July 2012 and is described as “a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations,” Kaspersky Lab said in a statement posted on its website.

    The malware was originally identified as an appendage of Flame – the program used for targeted cyber espionage in the Middle East and acknowledged to be part of joint US-Israeli efforts to undermine Iran’s nuclear program.

    But later, Kaspersky Lab analysts discovered that miniFlame is an “interoperable tool that could be used as an independent malicious program, or concurrently as a plug-in for both the Flame and Gauss malware.”

    The analysis also showed new evidence of cooperation between the creators of Flame and Gauss, as both viruses can use miniFlame for their operations.

    “MiniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory,” Kaspersky Lab said.

    Global cyber war: New Flame-linked malware detected — RT
     

Share This Page