Flame attack: details emerging slowly
Researchers put number of infections at around 1,000 Windows PCs
More details about the Flame malware are emerging as security analysts study the infection.
The latest numbers from Kaspersky Lab researcher suggest around 1,000 Windows PCs have been infected, the vast majority of which are in the Middle East. The security company reported 189 infections in Iran, 98 in Israel/Palestine and 32 in Sudan identified so far. Infections have been discovered in a wide range of sectors, including academia, private companies, and government.
Researchers have confirmed that Flame, Flamer and Skywiper are all the same thing, after some initial confusion as it was given three different names by different research groups.
The malware is best described as a cyber-espionage toolkit, and is written partly in the Lua scripting language with compiled C++ code linked in, with five different encryption methods and a SQLite database to store structured information. The malware is controlled by a network of command and control servers, and data was regularly sent from compromised PCs to C&C servers through a covert SSL channel.
While many initial reports hyped up the complexity of the malware, closer analysis of Flame suggests that the tools it uses are not that complex, but rather the ways the whole package works together is the most sophisticated aspect of its design.
Justin Doo, security practice director for MENA region, Symantec, told ITP.net the day after the malware emerged that Flame gives who ever is controlling the malware a range of different tools.
"It is particularly sophisticated in terms of the capabilities it has. Depending on who is controlling the malware depends on its behaviour. In one instance it may record voice, through the microphone, and in another instance it may be a Trojan so it looks like an application but it is doing something completely different," he said.
Flame is able to steal documents, take screenshots of users' desktops, spread via USB drives, disable security vendor products, turn on PC microphones, turn on Bluetooth and search for nearby Bluetooth devices and intercept network traffic. It has also been discovered that Flame can record Skype conversations.
The malware is also able to identify which anti-virus software, if any, is in use on its host machine, and modifies behaviour to avoid detection.
Doo said that this may have helped Flame to avoid detection, with analysts generally agreeing that the malware had been in the wild for around two years.
"It is an extremely pervasive infection. I think that because it has gone undetected for as long as it has, that has enabled the infection to achieve the widespread ‘success' that it has," Doo said.
The use of command and control technology to customise the malware is relatively recent technology, he added, which suggests the malware is no more than two years old.
A major area of investigation for researchers is how Flame was able to spread, Doo said, as it was highly unlikely that the full 20MB file was installed on a target PC in one go, with a more likely scenario being an initial infection with a bot, that then slowly and surreptitiously downloaded additional code.
In terms of the source, no evidence has come to light as of yet as to who is responsible, and there is also no evidence to link Flame to Duqu or Stuxnet.
"The coding is different, it is using different languages," Doo said. "The timing and the target seems to be more than a little co-incidental, but there is nothing to positively link the three, and as nobody has laid claim to the outbreak, it is very difficult to say. We are approaching it as separate incident."
Whoever developed Flame must have been well-funded Doo said, and as the malware doesn't appear to be tailored to creating embarrassment or notoriety, in the manner of ‘hacktivist' attacks, or to be seeking any sort of financial theft, it points to espionage.
|"It doesn't fit into either category, as there doesn't seem to be any financial return, and there is no notoriety attached, as no-one is laying claim. The costings behind putting together an attack like this are considerable, so its either got to come from a specific covert organisation or a criminal organisation with an ulterior motive or a longer term plan. This was not put together by a bored university student sitting in a dorm room," he said.
As soon as Flame was identified security software companies were able to block it and remove it from infected machines, Doo said, but he also warned that as mobile devices become more pervasive and usage of the Internet continues to grow, so there will be more security threats. ISPs and telcos should do more to protect their users, he said, and he also warned that pirated software also made it much easier for systems to be compromised.
"We have copyright broken software being used, and when that happens you are not able to receive security updates. That leaves you vulnerable, as an individual, an enterprise or even a government body, and no amount of anti-virus technology is going to protect you from vulnerable operating systems or applications that haven't been patched. There need to be steps taken across the region to push piracy out," he said.