Flame,
[a] also known as
Flamer,
sKyWIper,
[b] and
Skywiper,
[2] is modular computer
malware discovered in 2012
[3][4] that attacks computers running the
Microsoft Windows operating system.
[5] The program is being used for targeted
cyber espionage in
Middle Eastern countries.
[1][5][6]
Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National
Computer Emergency Response Team (CERT),
[5] Kaspersky Lab[6] and
CrySyS Lab of the
Budapest University of Technology and Economics.
[1]
The last of these stated in its report that it "is certainly the most
sophisticated malware we encountered during our practice; arguably, it
is the most complex malware ever found."
[1]
Flame can spread to other systems over a
local network (LAN) or via
USB stick. It can record audio,
screenshots,
keyboard activity and
network traffic.
[6] The program also records
Skype conversations and can turn infected computers into
Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.
[7]
This data, along with locally stored documents, is sent on to one of
several command and control servers that are scattered around the world.
The program then awaits further instructions from these servers.
[6]
According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines,
[7] with victims including governmental organizations, educational institutions and private individuals.
[6] At that time 65% of the infections happened in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt,
[3][6] with a "huge majority of targets" within Iran.
[8] Flame has also been reported in Europe and North America.
[9]
Flame supports a "kill" command which wipes all traces of the malware
from the computer. The initial infections of Flame stopped operating
after its public exposure, and the "kill" command was sent.
[10]
<a
href='http://o.o-clk.com/www/delivery/afr.php?zoneid=119&amp;cb=3400'
target='_blank'><img
src='http://o.o-clk.com/www/delivery/afr.php?zoneid=119&amp;cb=7953&amp;n=adc4e6a8'
border='0' alt='' /></a>
History
Flame was identified in May 2012 by MAHER Center of Iranian National
CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and
System Security) of the Budapest University of Technology and Economics
when Kaspersky Lab was asked by the United Nations
International Telecommunication Union to investigate reports of a virus affecting
Iranian Oil Ministry computers.
[7] As Kaspersky Lab investigated, they discovered an
MD5 hash
and filename that appeared only on customer machines from Middle
Eastern nations. After discovering more pieces, researchers dubbed the
program "Flame" after the name of one of its modules.
[7]
According to Kaspersky, Flame had been operating in the wild since at least February 2010.
[6] CrySyS Lab reported that the file name of the main component was observed as early as December 2007.
[1]
However, its creation date could not be determined directly, as the
creation dates for the malware's modules are falsely set to dates as
early as 1994.
[7]
Computer experts consider it the cause of an attack in April 2012
that caused Iranian officials to disconnect their oil terminals from the
Internet.
[11] At the time the
Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.
[12] However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware.
[7] Due to the size and complexity of the program—described as "twenty times" more complicated than
Stuxnet—the Lab stated that a full analysis could require as long as ten years.
[7]
On 28 May, Iran's CERT announced that it had developed a detection
program and a removal tool for Flame, and had been distributing these to
"select organizations" for several weeks.
[7] After Flame's exposure in news media,
Symantec
reported on 8 June that some Flame command and control (C&C)
computers had sent a "suicide" command to infected PCs to remove all
traces of Flame.
[10]
According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines,
[7] with victims including governmental organizations, educational institutions and private individuals.
[6] At that time the countries most affected were Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
[3][6]
Operation
Name |
Description |
List of code names for various families of modules in Flame's source code and their possible purpose[1]
Flame |
Modules that perform attack functions |
Boost |
Information gathering modules |
Flask |
A type of attack module |
Jimmy |
A type of attack module |
Munch |
Installation and propagation modules |
Snack |
Local propagation modules |
Spotter |
Scanning modules |
Transport |
Replication modules |
Euphoria |
File leaking modules |
Headache |
Attack parameters or properties |
Flame is an uncharacteristically large
program for malware at 20
megabytes. It is written partly in the
Lua scripting language with compiled
C++ code linked in, and allows other attack modules to be loaded after initial infection.
[6][13] The malware uses five different encryption methods and an
SQLite database to store structured information.
[1]
The method used to inject code into various processes is stealthy, in
that the malware modules do not appear in a listing of the modules
loaded into a process and malware
memory pages are protected with READ, WRITE and EXECUTE
permissions that make them inaccessible by user-mode applications.
[1]
The internal code has few similarities with other malware, but exploits
two of the same security vulnerabilties used previously by Stuxnet to
infect systems.
[c][1] The malware determines what
antivirus software is installed, then customises its own behaviour (for example, by changing the
filename extensions it uses) to reduce the probability of detection by that software.
[1] Additional indicators of compromise include
mutex and
registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.
[13]
Flame is not designed to deactivate automatically, but supports a
"kill" function that makes it eliminate all traces of its files and
operation from a system on receipt of a module from its controllers.
[7]
Flame was signed with a fraudulent
certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.
[14] The malware authors identified a Microsoft
Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak
MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to
sign some components of the malware to make them appear to have originated from Microsoft.
[14] A successful
collision attack against a certificate was previously demonstrated in 2008,
[15] but Flame implemented a new variation of the chosen-prefix collision attack.
[16]
[show]Property |
Value |
Compromised Microsoft certificate using the weak MD5 algorithm, and the unintended code-signing usage.
Deployment
Like the previously known cyber weapons
Stuxnet and
Duqu, it is employed in a targeted manner and can evade current security software through
rootkit
functionality. Once a system is infected, Flame can spread to other
systems over a local network or via USB stick. It can record audio,
screenshots, keyboard activity and
network traffic.
[6]
The program also records Skype conversations and can turn infected
computers into Bluetooth beacons which attempt to download contact
information from nearby Bluetooth enabled devices.
[7]
This data, along with locally stored documents, is sent on to one of
several command and control servers that are scattered around the world.
The program then awaits further instructions from these servers.
[6]
Unlike Stuxnet, which was designed to
sabotage an industrial process, Flame appears to have been written purely for
espionage.
[17]
It does not appear to target a particular industry, but rather is "a
complete attack toolkit designed for general cyber-espionage purposes".
[18]
Using a technique known as
sinkholing, Kaspersky demonstrated that "a huge majority of targets" were within Iran, with the attackers particularly seeking
AutoCAD drawings,
PDFs, and
text files.
[8] Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes.
[8]
A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely.
[19]
Origin
On June 19, 2012,
The Washington Post published an article claiming that Flame was jointly developed by the U.S.
National Security Agency,
CIA and Israel’s military at least five years prior. The project was said to be part of a classified effort code-named
Olympic Games,
which was intended to collect intelligence in preparation for a
cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.
[20]
According to Kaspersky's chief malware expert, "the geography of the
targets and also the complexity of the threat leaves no doubt about it
being a nation-state that sponsored the research that went into it."
[3]
Kaspersky initially said that the malware bears no resemblance to
Stuxnet, although it may have been a parallel project commissioned by
the same attackers.
[21]
After analysing the code further, Kaspersky later said that there is a
strong relationship between Flame and Stuxnet; the early version of
Stuxnet contained code to propagate via USB drives that is nearly
identical to a Flame module that exploits the same
zero-day vulnerability.
[22]
Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel".
[23] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the
West Bank—Israel became "many commentators' prime suspect". Other commentators named
China and the U.S. as possible perpetrators.
[21] Richard Silverstein,
a commentator critical of Israeli policies, stated that he had
confirmed with a "senior Israeli source" that the malware was created by
Israeli computer experts.
[21][24] The Jerusalem Post wrote that Israel's Vice Prime Minister
Moshe Ya'alon appeared to have hinted that his government was responsible,
[21] but an Israeli spokesperson later denied that this had been implied.
[25]
Unnamed Israeli security officials suggested that the infected machines
found in Israel may imply that the virus could be traced to the U.S. or
other Western nations.
[26] The U.S. has officially denied responsibility.
[27]
<a
href='http://o.o-clk.com/www/delivery/afr.php?zoneid=119&amp;cb=3673'
target='_blank'><img
src='http://o.o-clk.com/www/delivery/afr.php?zoneid=119&amp;cb=9601&amp;n=adc4e6a8'
border='0' alt='' /></a>
See also
Notes
- ^ "Flame" is one of the strings found in the code, a common name for attacks, most likely by exploits[1]
- ^ The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware[1]
- ^ MS10-061 and MS10-046
References
- ^ a b c d e f g h i j k "sKyWIper: A Complex Malware for Targeted Attacks". Budapest University of Technology and Economics. 28 May 2012. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ "Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East". Symantec. Archived from the original on 30 May 2012. Retrieved 30 May 2012.
- ^ a b c d Lee, Dave (28 May 2012). "Flame: Massive Cyber-Attack Discovered, Researchers Say". BBC News. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ McElroy, Damien; Williams, Christopher (28 May 2012). "Flame: World's Most Complex Computer Virus Exposed". The Daily Telegraph. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ a b c "Identification of a New Targeted Cyber-Attack". Iran Computer Emergency Response Team. 28 May 2012. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ a b c d e f g h i j k l Gostev, Alexander (28 May 2012). "The Flame: Questions and Answers". Securelist. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ a b c d e f g h i j k Zetter, Kim (28 May 2012). "Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers". Wired. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ a b c Lee, Dave (4 June 2012). "Flame: Attackers 'sought confidential Iran data'". BBC News. Retrieved 4 June 2012.
- ^ Murphy, Samantha (5 June 2012). "Meet Flame, the Nastiest Computer Malware Yet". Mashable.com. Retrieved 8 June 2012.
- ^ a b "Flame malware makers send 'suicide' code". BBC News. 8 June 2012. Retrieved 8 June 2012.
- ^ Hopkins, Nick (28 May 2012). "Computer Worm That Hit Iran Oil Terminals 'Is Most Complex Yet'". The Guardian. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ Erdbrink, Thomas (23 April 2012). "Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet". The New York Times. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ a b Kindlund, Darien (30 May 2012). "Flamer/sKyWIper Malware: Analysis". FireEye. Archived from the original on 31 May 2012. Retrieved 31 May 2012.
- ^ a b "Microsoft releases Security Advisory 2718704". Microsoft. 3 June 2012. Retrieved 4 June 2012.
- ^ Sotirov,
Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar,
David; Osvik, Dag Arne; de Weger, Benne (30 December 2008). "MD5 Considered Harmful Today". Retrieved 4 June 2011.
- ^ Stevens, Marc (7 June 2012). "CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame Spy Malware". Centrum Wiskunde & Informatica. Retrieved 9 June 2012.
- ^ Cohen, Reuven (28 May 2012). "New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive Information'". Forbes. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ Albanesius, Chloe (28 May 2012). "Massive 'Flame' Malware Stealing Data Across Middle East". PC Magazine. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ "Flame virus: Five facts to know". The Times of India. Reuters. 29 May 2012. Archived from the original on 30 May 2012. Retrieved 30 May 2012.
- ^ Nakashima, Ellen (June 19, 2012). "U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say". The Washington Post. Retrieved June 20, 2012.
- ^ a b c d "Flame Virus: Who is Behind the World's Most Complicated Espionage Software?". The Daily Telegraph. 29 May 2012. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ "Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected". Kaspersky Lab. 11 June 2012.
- ^ Erdbrink, Thomas (29 May 2012). "Iran Confirms Attack by Virus That Collects Information". The New York Times. Archived from the original on 30 May 2012. Retrieved 30 May 2012.
- ^ Silverstein, Richard (28 May 2012). "Flame: Israel’s New Contribution to Middle East Cyberwar". Tikun Olam. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
- ^ Tsukayama, Hayley (31 May 2012). "Flame cyberweapon written using gamer code, report says". The Washington Post. Retrieved 31 May 2012.
- ^ "Iran: ‘Flame’ Virus Fight Began with Oil Attack". Time. Associated Press. May 31, 2012. Retrieved 31 May 2012.
- ^ "Flame: Israel rejects link to malware cyber-attack". 31 May 2012. Retrieved 3 June 2012.
[show]
Hacking in the 2010s
|
|