|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 11: Data Stealing Trojans
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master computer. Flame appears to have been written purely for espionage.
It originated somewhere between 2006 and 2009.
It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".(The Flame Virus Your FAQs Answered PCWorld):
Flame is meant to gather information from infected PCs. As Kaspersky's Vitaly Kamlyuk told RT, the virus can sniff out information from input boxes, including passwords hidden by asterisks, record audio from a connected microphone and take screenshots of applications that the virus deems important, such as IM programs. It can also collect information about nearby discoverable Bluetooth devices. The virus then uploads all this information to command and control servers, of which there are about a dozen scattered around the world.
The virus is reminiscent of the Stuxnet worm that wreaked havoc on Iran in 2010, but Kaspersky says Flame is much complex, with its modules occupying more than 20 MB of code. “Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame,” the firm said.
Kaspersky first spotted the virus in 2010, though it may be in the wild for considerable time -- at least six months and most probably over a year (‘Flame’ Virus explained How it works and who’s behind it — RT)
RT: So, how did you spot the malware, was it a planned investigation, or did it come by surprise?
Vitaly Kamlyuk: It was by surprise. We were initially searching for a [different form of] malware. We were aware of the malware that had spread throughout the Middle East, attacked hundreds of computers and wiped their hard drives, making the systems unbootable after that. It was actually after an inquiry from the International Telecommunications Union, which is a part of the United Nations, who actually asked us to start conducting research. When we started looking for this mysterious malware in the Middle East, we discovered this suspicious application that turned out to be even more interesting than the initial target of our search.
Total size is around 20 megabytes. Which if coded in C is a size of pretty sophisticated compiler (Actually Turbo Pascal was 64K compiler for PCs, but that was long ago). Moreover this Trojan is built as an attack framework that can consist of several parts which probably can be deployed separately and independently depending of the target.
RT: What makes this malware different from all other Spyware programs and what damage can it do?
VK: It’s pretty advanced – one of the most sophisticated [examples of] malware we’ve ever seen. Even its size – it’s over 20 megabytes if you sum up all the sizes of the modules that are part of the attacking toolkit. It’s very big compared to Stuxnet, which was just hundreds of kilobytes of code: it’s over 20 megabyes. And the Stuxnet analysis took us several months, so you can imagine that a full analysis of this threat may take us up to a year. So we think it is one of the most sophisticated malware [programs] out there.
It’s also quite unique in the way it steals information. It’s possible to steal different types of information with the help of this spyware tool. It can record audio if a microphone is attached to the infected system, it can do screen captures and transmit visual data. It can steal information from the input boxes when they are hidden behind asterisks, password fields; it can get information from there.
Also it can scan for locally visible Bluetooth devices if there is a Bluetooth adapter attached to the local system.
While technical details are sketchy it is clear that Flame was a "game changer" -- the first Trojan that really demonstrated that PC is actually a powerful snooping device and a person using PC is actually in the same situation as a person who is in the room with a hidden video camera and a couple of hidden microphones that record everything that he does and say. It is difficult not to start viewing own PC other then a snooping device that is constantly on. You start feeling like the main hero of The Conversation(1974), the famous film by Frank Coppola. This is the way I how feel about PC :-).
It is clear that Flame was a "game changer" -- the first Trojan that really demonstrated that PC is actually a powerful snooping device and a person using PC is actually in the same situation as a person who is in the room with a hidden video camera and a couple of hidden microphones that record everything that he does and say.
In other words revealing that Flame exists in the wild was a groundbreaking event, that put the world into a new level of awareness about danger of computers even is the specially secured environments. And also gives new spin of industrial espionage tools arm race.
I think that now teams in three letter agencies in all industrial powers are frantically studying the disassembled code trying to reverse engineer the architecture of the framework. And they are doing this not only for defense purposes.
This is not an easy task but they have money and people to do that. I remember from my "DOS viruses disassembly days" that even 2K malware can present serious challenges for those two try to reverse engineer it. So one side effect of those efforts will be some new tools that can help in reserves engineering large software packages. There is a need in such tools for a different reason. All commercial software now needs to be "castrated" and their internal update mechanism need to be disabled. I wonder how many organizations prohibited Google bar and similar add-ons after the incident (that's actually a litmus test of the quality of security team ;-). And if not, we can talk about incompetence of the security brass in the particular organization.
The initial point of entry of Flame is unknown - most probably it was be deployed through targeted attacks as amount of information it collects it huge and indiscriminate infection would overload the hidden channels by which this information reach Flame creators. For a similar reason total number of infection at a particular time frame should be tightly controlled. But this is just speculation. Nobody actually knows the original vector of Flame propagation. According to Wikipedia:
According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time 65% of the infections happened in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt,] with a "huge majority of targets" within Iran.
Flame has also been reported in Europe and North America. Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent.
Something is wrong in the following description:
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
That would work perfectly well for regular computers, but in large industrial organizations and government everything is proxied and firewalled. If network is closed then you need to know details what protocols are allowed "out". Typically HTTP is allowed, but all transactions are logged. Or may be it involved "human data collector" who reached these machines via Bluetooth. If so, this is another dangerous element of this espionage toolkit. At the same time devices with Bluetooth and persons to whom such devices belong are of natural interest to investigators. Bluetooth has a very short range (for typical low powered device range is limited to 10m or 30 ft), so you need insider to collect information via Bluetooth from infected computers. One huge advantage here that this collection will never be recorded at firewall of proxy level.
Some problem also exists with the "kill" command in closed and highly secure networks. It can be executed only if there is indirect additional channel via which the infected computer can be reached. If computer is not connected to the network at the time the command was issued it will miss kill command. But this "kill" command can also be send via Bluetooth. And, of course, the Trojan can periodically access its command and control center and check if it reached his "end of life", or end of life can be preprogrammed in the code as code should be tuned to particular victim environment.
On the other hand in "semi-secured" network which has access to Internet via proxy (and in which Flame can be tremendously effective in stealing all the information), the existence of master computer creates opportunity to intercept commands based on decoded part of the worm and thus understand and record scope of infection and the actions of the attacking team at the moment of detection (if situation at the moment of discovery is not too chaotic). Now probably organizations should have some pre-planned response plan for flame infections. Here is is important to understand that the size of the information that needs to be transmitted is considerable. Especially if voice was recorded. So any flow from the organization outsize that is about certain size or small size transactions that accumulate in a weekly basis into considerable volume should be analyzed for belonging to hidden Flame-style infections.
In any case Flame can be turned against their creators rather cheaply and I would not recommend doing something like this against major industrial power with a bunch of well staffed three letter agencies. If country A deployed it against country B, it is similar to declaring the war between corresponding three latter agencies and it is now country A that should be trembling in anticipation of imminent retaliation three letter agencies from the country B.
Using Microsoft update as a Trojan delivery mechanism actually was expected by specialists for a long time. But the way it was implemented in flame makes it especially dangerous. It looks like this is a staged infection mechanism and some part of the virus should be present on the target PC to change settings that redirect update to a "middleman" -- another infected computer which can deliver or update parts of the Trojan.
For PCs in secure networks, patches are never distributed directly from Microsoft, but from local special "patch distribution" centers. And patches are tested on "clean room PCs" before distribution (this part was typically sloppy until Flame existence was revealed; now this testing will involve recoding all network traffic from newly patched PCs and generally will be much more rigorous). Still the ability of any software update mechanism to server as hidden channel that pushes the malware downstream now is a known threat and should be somehow dealt with, although this is pretty difficult undertaking because each software company in Windows world previously created its own patching mechanism. This "wild west" approach to software patching needs to be stopped. Flame also cast a long shadow on Google with its "in the cloud" software. I think you can forget using Google applications in any government organization outside of those who are by definition fully open to public.
Now probably such patches will be compared with samples that were got in other countries or more tightly controlled in other ways.
Flame changed completely attitude to many software products, and first of all to those which have their own installers
The real danger with such "experiments in sophistication of the art of virus creation" is that methods implemented once with great effort and at great expense can and will be reused by much less sophisticated and financially capable players. Shit flows downhill. Or in more politically correct terms "The Jinn Is Out of the Bottle". No modern country or international corporation is immune to consequences of release of Flame code of which now is studied by all three letter agencies around the globe. Oil and chemical companies all over the world are probably trembling now. The bag of tricks that were used in Flame might be reused by completely different players.
If the USA was involved, then the blowback against the USA originated software might be unwelcome side effect of Flame release. One interesting side effect is that it once and forever undermined trust to automatic update programs which up to this day were considered as a prudent way to protect PC from exploits. Also in large organization that have relevant IQ the structure of incoming traffic now will be analyzed more attentively and additional proxies and firewalls will be installed.
Now it is clear that each application with their own independent update mechanism is a covert channel into the heart of your environment. The channel that you don't control. And in cases were security is important and industrial control equipment is installed they should be prohibited if there is no possibility to disable this update mechanism. This, of course, spells trouble for future of Google Bar for IE, Adobe products and Firefox as well as many other products in corporate environment. They were dangerous before (Google software is actually pretty intrusive), they are unacceptable now.
The question arise what methods of defense can be used against flame. Some superficial considerations:
For at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic, and Skype calls, and taking screenshots from infected computers. That information was passed along to one of several command-and-control servers operated by its creators. In all that time, no security software raised the alarm.
Flame is just the latest in a series of incidents that suggest that conventional antivirus software is an outmoded way of protecting computers against malware. "Flame was a failure for the antivirus industry," Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week. "We really should have been able to do better. But we didn't. We were out of our league, in our own game."
The programs that are the lynchpin of computer security for businesses, governments, and consumers alike operate like the antivirus software on consumer PCs. Threats are detected by comparing the code of software programs and their activity against a database of "signatures" for known malware. Security companies such as F-Secure and McAfee constantly research reports of new malware and update their lists of signatures accordingly. The result is supposed to be an impenetrable wall that keeps the bad guys out.
However, in recent years, high-profile attacks on not just the Iranian government but also the U.S. government have taken place using software that, like Flame, was able to waltz straight past signature-based software. Many technically sophisticated U.S. companies-including Google and the computer security firm RSA-have been targeted in similar ways, albeit with less expensive malware, for their corporate secrets. Smaller companies are also routinely compromised, experts say.
Some experts and companies now say it's time to demote antivirus-style protection. "It's still an integral part [of malware defense], but it's not going to be the only thing," says Nicolas Christin, a researcher at Carnegie Mellon University. "We need to move away from trying to build Maginot lines that look bulletproof but are actually easy to get around."
Both Christin and several leading security startups are working on new defense strategies to make attacks more difficult, and even enable those who are targeted to fight back.
"The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable," says Dmitri Alperovitch, chief technology officer and cofounder of CrowdStrike, a startup in California founded by veterans of the antivirus industry that has received $26 million in investment funding. "We need to focus on the shooter, not the gun-the tactics, the human parts of the operation, are the least scalable."
CrowdStrike isn't ready to go public with details of its technology, but Alperovitch says the company plans to offer a kind of intelligent warning system that can spot even completely novel attacks and trace their origins.
This type of approach is possible, says Alperovitch, because, although an attacker could easily tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would still have the same goal: to access and extract valuable data. The company says its technology will rest on "big data," possibly meaning it will analyze large amounts of data related to many traces of activity on a customer's system to figure out which could be from an infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and business models of cyber attackers, says that makes sense. "The human costs of these sophisticated attacks are the one of the largest," he says. Foiling an attack is no longer a matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of people. "You need experts in their field that can also collaborate with others, and they are rare," says Christin. Defense software that can close off the most common tactics makes it even harder for attackers, he says.
Other companies have begun talking in similar terms. "It goes back to that '80s law enforcement slogan: 'Crime doesn't pay,' " says Sumit Agarwal, a cofounder of Shape Security, another startup in California that recently came out of stealth mode. The company has $6 million in funding from ex-Google CEO Eric Schmidt, among others. Agarwal's company is also keeping quiet about its technology, but it aims to raise the cost of a cyber assault relative to the economic payoff, thus making it not worth the trouble to carry out.
A company with a similar approach is Mykonos Software, which developed technology that helps protect websites by wasting hackers' time to skew the economics of an attack. Mykonos was bought by networking company Juniper earlier this year.
Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It came from the well-resourced world of international espionage. But such cyberweapons cause collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected an estimated 100,000 computers), and features of their designs are being adopted by criminals and less-resourced groups.
"Never have so many billions of dollars of defense technology flowed into the public domain," says Agarwal of Shape Security. While the U.S. military goes to extreme lengths to prevent aircraft or submarines from falling into the hands of others, military malware such as Flame or Stuxnet is out there for anyone to inspect, he says.
Agarwal and Alperovitch of CrowdStrike both say the result is a new class of malware being used against U.S. companies of all sizes. Alperovitch claims to know of relatively small law firms being attacked by larger competitors, and green technology companies with less than 100 employees having secrets targeted.
Alperovitch says his company will enable victims to fight back, within the bounds of the law, by also identifying the source of attacks. "Hacking back would be illegal, but there are measures you can take against people benefiting from your data that raise the business costs of the attackers," he says. Those include asking the government to raise a case with the World Trade Organization, or going public with what happened to shame perpetrators of industrial espionage, he says.
Research by Christin and other academics has shown that chokepoints do exist that could allow relatively simple legal action to neutralize cybercrime operations. Christin and colleagues looked into scams that manipulate search results to promote illicit pharmacies and concluded that most could be stopped by clamping down on just a handful of services that redirect visitors from one Web page to another. And researchers at the University of California, San Diego, showed last year that income from most of the world's spam passes through just three banks. "The most effective intervention against spam would be to shut down those banks, or introduce new regulation," says Christin. "These complex systems often have concentrated points on which you can focus and make it very expensive to carry out these attacks."
But Agarwal warns that even retribution within the law can be ill-judged: "Imagine you're a large company and accidentally swim into the path of the Russian mafia. You can stir up a larger problem than you intended."
High-ranking Iranian officials' computers have been attacked by a newly detected data mining virus called "Flame," an Iranian cyber defense group confirmed on Tuesday. The cyber attack is the most destructive since the Stuxnet virus.
Iran has deplored the "massive" data loss suffered since over the six months or more that Flame has been active. But the exact extent of damage has not been disclosed.
The newly spotted data mining virus may be the most harmful Iran has ever faced, even more dangerous than Stuxnet, warns Iran's Computer Emergency Response Team Coordination Centre. Two years ago, Stuxnet destroyed several centrifuges used for Iran's nuclear enrichment program.
"Flame" also appears to have been planted by a USB stick, which means a flash driver or a similar device had to have been inserted manually into at least one computer hooked up to the network.
"Those controlling the virus can direct it from a distance.' Flame' is no ordinary product. This was designed to monitor selected computers," Kamran Napelian, an Iranian official, told The New York Times.
Still, Tehran says that the detection and clean-up tools were already finished in early May and can now be distributed among organizations at risk of infection.
June 18, 2012 | Computerworld
Security researchers have published detailed information about how Flame malware spreads through a network by exploiting Microsoft's Windows Update mechanism.
Their findings answer a key question: How could Flame infect fully patched Windows 7 machines?
They learned that hackers had located and exploited a flaw in Microsoft's Terminal Services licensing certificate authority that allowed them to generate code-validating certificates "signed" by Microsoft.
Armed with fake certificates, attackers could fool a Windows 7 PC into accepting a malicious file as a Microsoft update.
But Flame doesn't really compromise Windows Update. And it doesn't infiltrate the service to feed malicious files to unsuspecting users. Instead, a rogue configuration file modifies a machine's settings to route all traffic through the Flame-infected system, creating a complex mechanism for spreading the malware.
"This is one of the most interesting and complex malicious programs we have ever seen," wrote Alexander Gostev, leader of the research and analysis team at Moscow-based Kaspersky Lab, in a blog entry.
Microsoft has taken steps to stop the spoofing of Windows Update.
May 31, 2011 | Tikun olam
I don't know about you, but the following two articles scare the bejesus out of me. The Washington Post reports the Pentagon has integrated U.S. cyber warfare assets into its conventional military inventory. So just as we might send jets to bomb Iraq or any other enemy target, we now can employ cyber worms like Stuxnet, which the U.S. is reputed to have played a major role in creating, in similarly lethal fashion:
The Pentagon has developed a list of cyber-weapons and tools, including viruses that can sabotage an adversary's critical networks, to streamline how the United States engages in computer warfare.
The classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA, said military officials who spoke on the condition of anonymity to describe a sensitive program. The list forms part of the Pentagon's set of approved weapons or "fires" that can be employed against an enemy.
"So whether it's a tank, an M-16 or a computer virus, it's going to follow the same rules so that we can understand how to employ it, when you can use it, when you can't, what you can and can't use," a senior military official said.
The integration of cyber-technologies into a formal structure of approved capabilities is perhaps the most significant operational development in military cyber-doctrine in years, the senior military official said.
And lest you worry your silly little head about how and when we will cause failures of massive Chinese dams or Iranian nuclear plants, potentially killing tens or hundreds of thousands, you needn't. Our president has it all under control:
The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later…
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
So the Stuxnet worm, which the NY Times portrayed as likely having been developed in close collaboration with Israel, would need approval of the president before it was deployed. That's supposed to comfort us when the president might be someone like George Bush? And given Obama's enthusiasm for targeted assassinations why should we not assume he knew, and approved of Stuxnet wreaking havoc within Iran's nuclear facilities? Yes, Stuxnet appears not to have killed anyone. But where is the line between cyber weapons that kill and those that don't? And how can you guarantee that you don't cross that line (if indeed you don't want to…which raises another question)? How do you guarantee that Stuxnet only disabled a nuclear plant and doesn't cause a Fukushima-style core meltdown with concomitant civilian exposure to massive levels of radioactivity?
It is only slightly encouraging that this new strategic doctrine emphasizes the use of cyber-methods largely for defensive purposes. But who's to define what is defensive and what is offensive? Is disabling Iran's Natanz and Bushehr plants defensive? Clearly, the U.S. thinks so or it wouldn't have participated in the project. But what if the worm had killed Iranians? What then? Do we argue that slightly delaying the date by which Iran gets a nuclear weapon (if they are trying to make one) is a defensive act that justifies killing or injuring Iranians, if any are harmed?
The NY Times takes a markedly different approach to the same story. It reports the Pentagon is readying a new military doctrine which will declare any cyber attack against the U.S. which endangers the lives of civilians to be an act of war:
The Pentagon, trying to create a formal strategy to deter cyberattacks on the United States, plans to issue a new strategy soon declaring that a computer attack from a foreign nation can be considered an act of war that may result in a military response.
Several administration officials…have suggested publicly that any American president could consider a variety of responses - economic sanctions, retaliatory cyberattacks or a military strike - if critical American computer systems were ever attacked…
The new military strategy…makes explicit that a cyberattack could be considered equivalent to a more traditional act of war. The Pentagon is declaring that any computer attack that threatens widespread civilian casualties - for example, by cutting off power supplies or bringing down hospitals and emergency-responder networks - could be treated as an act of aggression.
Which raises an interesting question. Clearly, the Stuxnet attack, if perpetrated here, would be considered an act of aggression to which the U.S. might respond militarily. If that's so, then would Iran be justified attacking Israel for its involvement? And just how do you prove that a specific country mounted such an attack against you? What level of certainty do you need?
Of course, we would not countenance an Iranian attack against Israel for giving it the "gift" of Stuxnet, which is why Iran has not retaliated (yet). So this means that there are two sets of rules operating concerning cyber-warfare: one set is for the big guys like us and another is for the littler, less powerful fellas like Iran. Hit us and we'll knock you to Kingdom Come (if we can). Hit Iran, well not so much. How do you spell h-y-p-o-c-r-i-s-y?
The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran's ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.
The massive piece of malware secretly mapped and monitored Iran's computer networks, sending back a steady stream of intelligence to prepare for a cyberwarfare campaign, according to the officials.
Iran's quest to possess nuclear technology: Iran said it has made advances in nuclear technology, citing new uranium-enrichment centrifuges and domestically made reactor fuel.
The effort, involving the National Security Agency, the CIA and Israel's military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran's nuclear-enrichment equipment.
The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.
"This is about preparing the battlefield for another type of covert action," said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. "Cyber-collection against the Iranian program is way further down the road than this."
Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.
There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed. Commercial security researchers reported last week that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity.
Spokesmen for the CIA, the NSA and the Office of the Director of National Intelligence, as well as the Israeli Embassy in Washington, declined to comment.
The virus is among the most sophisticated and subversive pieces of malware to be exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geolocation data from images, and send and receive commands and data through Bluetooth wireless technology.
Flame was designed to do all this while masquerading as a routine Microsoft software update; it evaded detection for several years by using a sophisticated program to crack an encryption algorithm.
"This is not something that most security researchers have the skills or resources to do," said Tom Parker, chief technology officer for FusionX, a security firm that specializes in simulating state-sponsored cyberattacks. He said he does not know who was behind the virus. "You'd expect that of only the most advanced cryptomathematicians, such as those working at NSA."
Flame was developed at least five years ago as part of a classified effort code-named Olympic Games, according to officials familiar with U.S. cyber-operations and experts who have scrutinized its code. The U.S.-Israeli collaboration was intended to slow Iran's nuclear program, reduce the pressure for a conventional military attack and extend the timetable for diplomacy and sanctions.
The cyberattacks augmented conventional sabotage efforts by both countries, including inserting flawed centrifuge parts and other components into Iran's nuclear supply chain.
The best-known cyberweapon let loose on Iran was Stuxnet, a name coined by researchers in the antivirus industry who discovered it two years ago. It infected a specific type of industrial controller at Iran's uranium- enrichment plant in Natanz, causing almost 1,000 centrifuges to spin out of control. The damage occurred gradually, over months, and Iranian officials initially thought it was the result of incompetence.
The scale of the espionage and sabotage effort "is proportionate to the problem that's trying to be resolved," the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, "it doesn't mean that other tools aren't in play or performing effectively," he said.
To develop these tools, the United States relies on two of its elite spy agencies. The NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, has extensive expertise in developing malicious code that can be aimed at U.S. adversaries, including Iran. The CIA lacks the NSA's sophistication in building malware but is deeply involved in the cyber-campaign.
The CIA's Information Operations Center is second only to the agency's Counterterrorism Center in size. The IOC, as it is known, performs an array of espionage functions, including extracting data from laptops seized in counterterrorism raids. But the center specializes in computer penetrations that require closer contact with the target, such as using spies or unwitting contractors to spread a contagion via a thumb drive.
Both agencies analyze the intelligence obtained through malware such as Flame and have continued to develop new weapons even as recent attacks have been exposed.
Flame's discovery shows the importance of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.
"It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage," said Michael V. Hayden, a former NSA director and CIA director who left office in 2009. He declined to discuss any operations he was involved with during his time in government.
Years in the making
The effort to delay Iran's nuclear program using cyber-techniques began in the mid-2000s, during President George W. Bush's second term. At that point it consisted mainly of gathering intelligence to identify potential targets and create tools to disrupt them. In 2008, the program went operational and shifted from military to CIA control, former officials said.
Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated their attacks. Israel's April assaults on Iran's Oil Ministry and oil-export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.
"The virus penetrated some fields - one of them was the oil sector," Gholam Reza Jalali, an Iranian military cyber official, told Iranian state radio in May. "Fortunately, we detected and controlled this single incident."
Some U.S. intelligence officials were dismayed that Israel's unilateral incursion led to the discovery of the virus, prompting countermeasures.
The disruptions led Iran to ask a Russian security firm and a Hungarian cyber-lab for help, according to U.S. and international officials familiar with the incident.
Last week, researchers with Kaspersky Lab, the Russian security firm, reported their conclusion that Flame - a name they came up with - was created by the same group or groups that built Stuxnet. Kaspersky declined to comment on whether it was approached by Iran.
"We are now 100 percent sure that the Stuxnet and Flame groups worked together," said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.
The firm also determined that the Flame malware predates Stuxnet. "It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going," Schouwenberg said.
Staff writer Joby Warrick contributed to this report.
28 May 2012
Middle Eastern states were targeted and Iran ordered an emergency review of official computer installations after the discovery of a new virus, known as Flame.Experts said the massive malicious software was 20 times more powerful than other known cyber warfare programmes including the Stuxnet virus and could only have been created by a state.
It is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years.Iran has alleged that the West and Israel are orchestrating a secret war of sabotage using cyber warfare and targeted assassinations of its scientists as part of the dispute over its nuclear programme.
Stuxnet attacked Iran's nuclear programme in 2010, while a related programme, Duqu, named after the Star Wars villain, stole data.
Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats.
- Flame: scale of cyber-attacks on Iran further unveiled
11 Jun 2012
- Iran blames West for throwing 'doubt' on nuclear talks
06 Jun 2012
- Iran targeted by 'Flame' espionage virus
28 May 2012
- Flame: anatomy of a super-virus
29 May 2012
- Flame virus: who is behind the world's most complicated espionage software?
29 May 2012
- America and China 'engaging in cyber war games'
17 Apr 2012
The virus was discovered by a Russian security firm that specialises in targeting malicious computer code.
It made the 20 megabyte virus available to other researchers yesterday claiming it did not fully understand its scope and said its code was 100 times the size of the most malicious software.
Kaspersky Labs said the programme appeared to have been released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Roel Schouwenberg, a Kaspersky security senior researcher, said.
Professor Alan Woodward from the department of computing at the University of Surrey said the virus was extremely invasive. It could "vacuum up" information by copying keyboard strokes and the voices of people nearby.
"This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time," he said.
The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail. Iran's output of uranium was suffered a severe blow as a result of the Stuxnet activities.
Mr Schouwenberg said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu.
Iran's Computer Emergency Response Team said it was "a close relation" of Stuxnet, which has itself been linked to Duqu, another complicated information-stealing virus is believed to be the work of state intelligence.
It said organisations had been given software to detect and remove the newly-discovered virus at the beginning of May.
Crysys Lab, which analyses computer viruses at Budapest University. said the technical evidence for a link between Flame and Stuxnet or Duqu was inconclusive.
The newly-discovered virus does not spread itself automatically but only when hidden controllers allow it.
Unprecedented layers of software allow Flame to penetrate remote computer networks undetected.
The file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more.
Components enable those behind it, who use a network of rapidly-shifting "command and control" servers to direct the virus, to turn microphone into listening devices, siphon off documents and log keystrokes.
Eugene Kaspersky, the founder of Kaspersky Lab, noted that "it took us 6 months to analyse Stuxnet. [This] is 20 times more complicated".
Once a machine is infected additional modules can be added to the system allowing the machine to undertake specific tracking projects.
May 28 | Securelist
Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we've found what might be the most sophisticated cyber weapon yet unleashed. The 'Flame' cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East.
While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar 'super-weapons' currently deployed in the Middle East by unknown perpetrators.
Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
For the full low-down on this advanced threat, read on…
What exactly is Flame? A worm? A backdoor? What does it do?
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven't seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame's functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
How sophisticated is Flame?How is this different to or more sophisticated than any other backdoor Trojan? Does it do specific things that are new?
First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.
Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in Lua -- with effective attack subroutines and libraries compiled from C++.
The effective Lua code part is rather small compared to the overall code. Our estimation of development 'cost' in Lua is over 3000 lines of code, which for an average developer should take about a month to create and debug.
Also, there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.
Running and debugging the malware is also not trivial as it's not a conventional executable application, but several DLL files that are loaded on system boot.
Overall, we can say Flame is one of the most complex threats ever discovered.
First of all, usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.
The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame's completeness - the ability to steal data in so many different ways.
Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.
What are the notable info-stealing features of Flame?
Although we are still analyzing the different modules, Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library.
Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule. We are still analyzing this; more information will be available on our website soon.
The malware has the ability to regularly take screenshots; what's more, it takes screenshots when certain "interesting" applications are run, for instance, IM's. Screenshots are stored in compressed format and are regularly sent to the C&C server - just like the audio recordings.We are still analyzing this component and will post more information when it becomes available.
When was Flame created?
The creators of Flame specially changed the dates of creation of the files in order that any investigators couldn't establish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it's clear that these are false dates.
We consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active development to date. Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012.
According to our own data, we see use of Flame in August 2010. What's more, based on collateral data, we can be sure that Flame was out in the wild as early as in February to March 2010. It's possible that before then there existed earlier version, but we don't have data to confirm this; however, the likelihood is extremely high.
Why is it called Flame? What is the origin of its name?
The Flame malware is a large attack toolkit made up of multiple modules. One of the main modules was named Flame - it's the module responsible for attacking and infecting additional machines.
Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.
Who is responsible?
There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.
Why are they doing it?
To systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on. Here's a map of the top 7 affected countries:
Is Flame targeted at specific organizations, with the goal of collecting specific information that could be used for future attacks? What type of data and information are the attackers looking for?
From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence - e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it's a complete attack toolkit designed for general cyber-espionage purposes.
Of course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA devices, ICS, critical infrastructure and so on.
What industries or organizations is Flame targeting? Are they industrial control facilities/PLC/SCADA? Who are the targets and how many?
There doesn't seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions. Of course, collecting information on the victims is difficult because of strict personal data collecting policies designed to protect the identity of our users.
Based on your analysis, is this just one variation of Flame and there are others?
Based on the intelligence received from the Kaspersky Security Network, we are seeing multiple versions of the malware being in the wild - with different sizes and content. Of course, assuming the malware has been in development for a couple of years, it is expected that many different versions will be seen in the wild.
Additionally, Flame consists of many different plug-ins – up to 20 – which have different specific roles. A specific infection with Flame might have a set of seven plugins, while another infection might have 15. It all depends on the kind of information that is sought from the victim, and how long the system was infected with Flame.
Is the main C&C server still active? Is there more than one primary C&C server? What happens when an infected machine contacts the C&C server?
Several C&C servers exist, scattered around the world. We have counted about a dozen different C&C domains, run on several different servers. There could also be other related domains, which could possibly bring the total to around 80 different domains being used by the malware to contact the C&C. Because of this, it is really difficult to track usage of deployment of C&C servers.
Was this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in common?
In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu.
For instance, when Duqu was discovered, it was evident to any competent researcher that it was created by the same people who created Stuxnet on the "Tilded" platform.
Flame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are however some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project - such as use of the "autorun.inf" infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet's authors.
On the other hand, we can't exclude that the current variants of Flame were developed after the discovery of Stuxnet. It's possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.
In summary, Flame and Stuxnet/Duqu were probably developed by two separate groups. We would position Flame as a project running parallel to Stuxnet and Duqu.
You say this was active since March 2010. That is close to the time when Stuxnet was discovered. Was this being used in tandem with Stuxnet? It is interesting they both exploit the printer-spooler vulnerability.
One of the best pieces of advice in any kind of operation is not to put all your eggs in one basket. Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects - but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered.
Hence, we believe Flame to be a parallel project, created as a fallback in case some other project is discovered.
In your analysis of Duqu you mentioned "cousins" of Duqu, or other forms of malware that could exist. Is this one of them?
Definitely not. The "cousins" of Duqu were based on the Tilded platform, also used for Stuxnet. Flame does not use the Tilded platform.
This sounds like an info-stealing tool, similar to Duqu. Do you see this as part of an intelligence-gathering operation to make a bigger cyber-sabotage weapon, similar to Stuxnet?
The intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu - all of them, super-high profile.
Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide.The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.
According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren't interesting, leaving the most important ones in place. After which they start a new series of infections.
What is Wiper and does it have any relation to Flame? How is it destructive and was it located in the same countries?
The Wiper malware, which was reported on by several media outlets, remains unknown. While Flame was discovered during the investigation of a number of Wiper attacks, there is no information currently that ties Flame to the Wiper attacks. Of course, given the complexity of Flame, a data wiping plugin could easily be deployed at any time; however, we haven't seen any evidence of this so far.
Additionally, systems which have been affected by the Wiper malware are completely unrecoverable - the extent of damage is so high that absolutely nothing remains that can be used to trace the attack.
There is information about Wiper incidents only in Iran. Flame was found by us in different countries of the region, not only Iran.
Functionality/Feature Questions about the Flame Malware
What are the ways it infects computers? USB Sticks? Was it exploiting vulnerabilities other than the print-spooler to bypass detection? Any 0-Days?
Flame appears to have two modules designed for infecting USB sticks, called "Autorun Infector" and "Euphoria". We haven't seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it's using two methods:
In addition to these, Flame has the ability to replicate through local networks. It does so using the following:
- Autorun Infector: the "Autorun.inf" method from early Stuxnet, using the "shell32.dll" "trick". What's key here is that the specific method was used only in Stuxnet and was not found in any other malware since.
- Euphoria: spread on media using a "junction point" directory that contains malware modules and an LNK file that trigger the infection when this directory is opened. Our samples contained the names of the files but did not contain the LNK itself.
- The printer vulnerability MS10-061 exploited by Stuxnet - using a special MOF file, executed on the attacked system using WMI.
- Remote jobs tasks.
- When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
- Up to 20MB file (by comparison Stuxnet, which damage Iranian uranium centrifuges, is around 500KB)
- Infects Windows XP, Windows Vista and Windows 7 systems
- Detected in Iran, Russia, Egypt, the West Bank, Lebanon, Syria, Sudan
- Taking screenshots
- Covert sound recording
- Intercepting keyboard strokes
- Monitoring network activity
- Detects 100 types anti-virus software and conceals its presence
- Creates a database to store stolen information
- Communicates with command and control servers over encrypted channels
- Via USB sticks
- On local networks via printers
- As a self-spreading internet "worm" when directed by its controllers
May 29, 2012 | eSecurity Planet
Known by the names Flame, Flamer, and sKyWIper, the malware is significantly more complex then either Stuxnet or Duqu -- and it appears to be targeting the same part of the world, namely the Middle East.
Preliminary reports from various security researchers indicate that Flame likely is a cyberwarfare weapon designed by a nation-state to conduct highly targeted espionage. Using a modular architecture, the malware is capable of performing a wide variety of malicious functions -- including spying on users' keystrokes, documents, and spoken conversations.
Vikram Thakur, principal research manager at Symantec Security Response, told eSecurity Planet that his firm was tipped off to the existence of Flamer by Hungarian research group CrySys (Laboratory of Cryptography and System Security). As it turned out, Symantec already had the Flamer malware (known to Symantec as W32.Flamer) in their database as it had been detected using a generic anti-virus signature. "Our telemetry tracked it back at least two years," Thakur said. "We're still digging in to see if similar files existed even prior to 2010."
Dave Marcus, Director of Security Research for McAfee Labs, told eSecurity Planet that Flamer shows the characteristics of a targeted attack.
"With targeted attacks like Flamer, they are by nature not prevalent and not spreading out in the field," Marcus said. "It's not spreading like spam, it's very targeted, so we've only seen a handful of detections globally."
While the bulk of all infections are in the Middle East, Marcus noted that he has seen command-and-control activity in other areas of the world. Generally speaking, malware command and control servers are rarely located in the same geographical region where the malware outbreaks are occuring, Marcus noted.
The indications that Flamer may have escaped detection for several years is a cause for concern for many security experts.
"To me, the idea that this might have been around for some years is the most alarming aspect of the whole thing," Roger Thompson, chief emerging threats researcher at ICSA Labs, told eSecurity Planet. "The worst hack is the one you don't know about. In the fullness of time, it may turn out that this is just a honking great banking Trojan, but it's incredibly dangerous to have any malicious code running around in your system, because it's no longer your system -- it's theirs."
Complex and Scalable Code
Although it is still early days in the full analysis of Flamer, one thing is clear -– the codebase is massive.
"Flamer is the largest piece of malware that we've ever analyzed," said Symantec's Thakur. "It could take weeks if not months to actually go through the whole thing."
McAfee's Marcus noted that most of the malware he encounters is in the 1 MB to 3 MB range, whereas Flamer is 30 MB or more.
"You're literally talking about an order of complexity that is far greater than anything we have run into in a while," Marcus said.
Flamer has an architecture that implies the original design intent was to ensure modular scalability, noted Thakur: "They used a lot of different types of encryption and coding techniques and they also have a local database built in."
With its local database, Flamer could potentially store information taken from devices not connected to the Internet.
"If the worm is able to make it onto a device that is not on the Internet, it can store all the data in the database which can then be transferred to a portable device and then moved off to a command and control server at some point in the future," Thakur said.
Portions of Flamer are written in the open-source Lua programming language, which Thakur notes is interesting in that Lua is very portable and could potentially run on a mobile phone. Flamer also uses SSH for secure communications with its command-and-control infrastructure.
Thakur noted that Symantec's research team is trying to trace Flamer back to its origin, but cautioned that it will be a long analytical process. Symantec researchers will dig through all of their databases in an attempt to find any piece of evidence that may be linked to any of the threats exposed by Flamer.
"It's a very difficult job and it's not an exact science," Thakur said.
Google matched content
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March, 12, 2019