Flame seems to be the most sophisticated
malware in the world. How does it work, where might it have come from,
and what could it mean for the future of mainstream malware?
Last week, the online security world was set back on its heels when leading cybersecurity firms
revealed the existence of Flame,
new malware with a level of sophistication substantially beyond other
worms, trojans, and viruses. While most malware relies on a small set of
exploits and tries to target users’ personal information or set up an
infected machine as a spam-sending zombie, Flame is like an entire
malware suite. It’s composed of an unknown number of plug-in modules
that its operators can choose to deploy for everything from scanning a
user’s machine and monitoring their network activity to taking
screenshots, recording audio, logging keystrokes, and even reaching out
to nearby mobile devices using Bluetooth. Like Stuxnet and Duqu before
it, Flame seems to be a legitimate cyberweapon — and, once again, the
target seems to be Iran.
Security experts will be working a long
time to fully analyze Flame, but new details are emerging that reveal
just how sophisticated Flame is. Where could Flame have come from and —
perhaps more importantly — will the technologies and threats included in
Flame migrate to mainstream malware?
Sparking a Flame
The
Flame malware is currently known by a few different names: “Flame”
seems to be the most common, but some researchers also refer to “Viper”
and “SkyWiper.” Iran’s computer security agency
calls it “Flamer.”
According to security firms like Kaspersky Labs, the
CrySyS Lab at Budapest University of Technology and Economics,
and McAfee, there are multiple versions of Flame circulating in the
wild. In a simple form, Flame appears as a 900K file, and can propagate
via local network shares, shared printer spools, and peripheral devices
like USB drives. Once the basic version finds a home in a Windows
system, it tries to reach out to a pool of as many as 80
command-and-control servers to download a set of additional modules that
extend its functionality. Other versions of Flame are bigger — as much
as 6MB — and already include several code modules.
Flame does
not
try to spread at every opportunity; rather, when Flame infects a new
machine, it reports back to its operators, who apparently then make a
decision about what Flame should do next. Right now it’s not clear how
Flame initially gets a foothold in an organization or network.
Speculation suggests it may use “spear-phishing” email messages that
trick people into following a link, then exploit browser or mail flaws
to install software. But infection could happen other ways, too.
Microsoft has released a
security advisory
about Flame using forged security certificates for Terminal Server,
along with a software update to block the exploit. It’s possible Flame
is using other, previously unknown exploits as well.
According to McAfee, Flame’s main module alone
decompiles to over 650,000 lines of C code, and
they expect that to get longer as they continue to decompile examples.
These lines represent computer-generated source code reverse-engineered
from the executable, not the source code use by Flame’s developers — but
it serves as a human-readable starting point for analysis.
As
Flame collects data, it is diligent about trying to send it upstream to
the malware’s operators. This data can include information scanned from
local devices (like files, passwords, and contacts), as well as
screenshots, audio, and even information about nearby phones. To phone
home, Flame launches compromised versions of Internet Explorer: that
way, the connections take place in the machine’s “trusted” zone and are
more likely to get past local firewalls and network monitoring.
Databases and modules
A
good deal of Flame’s capability stems from its use of local databases
and plug-in modules that can extend the malware’s capabilities. Modular
construction isn’t quite new — Stuxnet, Duqu, and “TildeD” malware
family were also modular — but Flame combines that with highly
structured databases stored and accessed via the built-in SQLite
database. Another unique feature of Flame is that it uses the Lua
scripting language to manage access to the databases, and possibly for
other functions as well. Although Lua isn’t exactly uncommon (it’s used
to handle plug-ins and other functions for everything from Adobe
Lightroom to the audio workstation reason to the protein-folding game
Foldit) it’s certainly a very unusual choice for malware.
Flame
also goes to great lengths to obscure itself. Those databases and all
other data are encrypted using several different algorithms (including
Blowfish, MD5, and MD4), and the software goes to some lengths to hide
“interesting” strings from security researchers and antivirus programs.
Instead of seeing a function call that’s the computer equivalent to
“snoop around this person’s contact list,” researchers initially see
what appear to be random characters. It makes Flame that much harder to
figure out.
Flame’s modular architecture means that its operators
can constantly alter and enhance its functionality — and download new
exploits to infected machines whenever they like. So far researchers
have identified nearly two dozen Flame modules. The modules haven’t all
been figured out, and researchers aren’t assuming they’ve seen the whole
range of modules yet. Among Flame’s most interesting modules so far:
BeetlejuiceMicrobeWeaselViperSuicide
- Taps
into a computer’s Bluetooth module and tries to connect to devices near
the infected machine. Flame currently seems to target Sony and Nokia
devices, but (obviously) the operators can update that functionality at
any time. Beetlejuice can also turn the infected machine into a
discoverable device, so nearby Bluetooth items check in with it.
- Records audio.
The module tries to list all existing hardware audio sources and select
a recording device. An audio recording feature seems like it would be
about surveillance of an individual or a particular location,
effectively turning any computer with a microphone into a bug planted in
a particular area.
- Reads local
disks. Flame can parse through a variety of file formats, including ZIP
archives, PDFs, and Microsoft Office documents. Flame also pokes through
normally-hidden areas of the operating system looking for notes and
other bits of information, and is particularly interested in what users
keep on their desktops — since those, presumably, get used often.
- Seems
to be one of a few modules that can take screenshots: they seem to be
stored in custom file compressed and encrypted formats for later
uploading to Flame’s operators.
- Self-termination routine: when commanded by its operators, Flame can apparently delete itself.
Flame also appears to have one or more modules that look out for antivirus programs, firewalls, and other security software.
How Flame spreads
Flame
uses a number of propagation mechanisms — some of which appear to be
taken directly from Stuxnet, Duqu and their ilk: It can create autorun
files that try to run the malware as soon as they appear on a computer,
and will also create a “junction point” directory with a desktop.ini and
LNK files that launch Flame as soon as Windows opens the directory.
Both techniques are used by Stuxnet, which initially used the autorun
trick, then changed to the LNK technique. Flame may also use other,
still-unknown exploits to install itself. Researchers are still looking
into it.
One of Flame’s modules also handles propagation. Called
Munch, the module runs an internal Web server Flame uses to distribute
itself. It responds to seemingly innocuous requests for “view.php” and
“wpad.dat” — neither of which would raise an eyebrow of a network
administrator. (Munch may also scan local network traffic.) So, only one
copy of Flame in a particular network or domain needs to phone home to
get new instructions or modules. Other copies can pick up the new
material locally without accessing the Internet.
Unlike most malware, Flame does not try to spread itself to as many machines as possible. Instead, what’s notable about Flame is how much trouble it takes to avoid
detection. Flame avoids traditional (and quickly patched) exploits like
rootkits, takes great care to tuck its files away under innocuous names
in difficult-to-scan formats, and avoids using suspicious components
that would trigger security software. Unlike Stuxnet — which was
essentially discovered when it ran amok and spread too quickly — Flame
seems to be about targeting a relatively small number of machines and
surveilling them extensively.
The result is that no one really
knows how long Flame has been around. Some dates gleaned from Flame’s
files seem to point all the way back to 2007 — although those could be
fabrications — and a few components Flame refers to have been spotted in
the wild as far back as December 2007.
Who made Flame?
If
one thing is clear, it’s that Flame is not run-of-the-mill malware that
could have been developed by a handful of coders in a basement fueled
by Red Bull and chatroom boasting. The design and operation of Flame is
undoubtedly a well-funded, sustained operation. Some security
researchers have speculated Flame represents a multi-million-dollar
effort that’s probably the result of at least a few years’ work. In the
security world, that almost certainly means it has been created by a
nation-state. Although many corporations have the money to pull off an
effort like this, they’re far less likely to do so, and even less likely
to be able to stay quiet about it.
Flame appears to have been
coded in English, but that means almost nothing: a lot of malware coming
out of China is also in English. Currently, speculation is focusing on
the United States or Israel as potential creators of Flame, particularly
since the appearance of Flame coincides with instances of massive data
loss in Iran’s oil industry. Speculation has been further fueled by the
New York Times
reporting the U.S. and Israel jointly developed Stuxnet to cripple Iran’s uranium enrichment efforts.
Implications for mainstream malware
To
date, most malware targeting everyday computer users has relied on
achieving a large number of infections as quickly as possible — after
all, antivirus vendors catch on fast. Those infections usually try to
capture personal info — passwords, credit card numbers, etc. — that can
be exploited by (or sold to) cybercriminals. Alternatively, malware
might set up infected machines to act as zombies in spamming or malware
distribution operations. Sometimes, malware does both.
These
operations are typically run by criminal enterprises, but they’re
opportunistic. The scammers realize their malware will be quickly wiped
off the vast majority of computers they infect, so they try to infect as
many as possible, hope for the best, then scamper away and move on to
the next thing. Criminal organizations that rely on fraud and identity
theft are unlikely to invest resources in developing something as
labor-intensive and sophisticated as Flame — particularly since it could
take so long to pay off.
However, other types of cybercriminals
are undoubtedly paying attention. The apparent success of Flame raises
the profile of highly-targeted malware. A low-profile, potentially
individualized approach — dubbed an Advanced Persistent Threat in
computing circles — turns the traditional malware economy on its head:
Instead of trying to generate a small amount of money from as many
people as possible, targeted malware would seek large payouts from a
handful. It also avoids detection. If malware spreads only when
operators tell it to spread, antivirus vendors are unlikely to catch
wind of it — or recognize it if they do.
Criminals who aren’t
averse to blackmail and extortion will note that Flame seems to have
been assembled in part from many off-the-shelf components — including a
highly portable scripting language, a public domain database, and widely
available encryption techniques. All that helps Flame seem innocuous
and just another common part of the ecosystem. Malware inspired by Flame
wouldn’t have to be so complicated — especially right out of the gate.
Further, as technology advances and tools become more sophisticated, the
amount of effort needed to create malware with Flame-like capabilities
gets lower all the time.
So will Flame or something like it be
testing your virtual locks in the near future? Probably not. But
businesses, enterprises, schools, and other organizations should already
be taking note: not only are they potential victims in the broad
malware universe, but it’s getting easier and easier for malware to come
after them
specifically. Malware is easy to ignore when it
only hits oil production in a country halfway around the world, but when
it successfully targets your bank, your employer, or your city’s
infrastructure, it may feel like a much bigger problem.
How To Make Money With Adsense Using Yousaytoo
Through Skype Now You Can Do Video Chat With Facebook Friends
