A piece of malware, described as the most sophisticated cyber weapon discovered to date, is attacking entities in several countries.
Dubbed Worm.Win32.Flame, the malware is unusual in its complexity, size and myriad ways it harvests information from infected machines, including via keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB and system processes.
Its primary function appears to be cyber espionage, and it is systematically collecting information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, and Israel.
The malware was discovered by Kaspersky Lab's experts during an investigation prompted by the International Telecommunication Union. According to the company, Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet. Although its features are different, the geography and careful targeting of attacks, along with its use of specific software vulnerabilities, seems to put it in the same category as the two previously mentioned cyber “super weapons”.
According to Aleks Gostev, chief security expert at Kaspersky Lab, Flame is currently deployed in the Middle East by unknown perpetrators. He says it is undoubtedly the most complex threat discovered to date. “It's big and incredibly sophisticated. It pretty much redefines the notion of cyber war and cyber espionage.”
How it works
Gostev describes Flame as a sophisticated attack toolkit, even more complex than Duqu. “It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”
He adds that Flame consists of multiple modules and is made up of several megabytes of executable code in total - making it around 20 times larger than Stuxnet.
Flame's initial point of entry is unknown, he notes. Kaspersky Lab suspects it is deployed through targeted attacks; however, the company hasn't seen the original vector of how it spreads. “Once a system is infected, the malware begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers.”
Following this, the controllers have the option of uploading additional modules that expand the malware's functionality. Gostev says there are approximately 20 modules, and the purpose of most of them is still being investigated.
He says Flame differs from other backdoor Trojans in several ways. Firstly, its usage of LUA, a scripting language, in malware is uncommon. Secondly, its large size is unusual, in that modern malware is usually small, and written in compact programming languages, making it easy to hide. “The recording of audio data from the internal microphone is also rather new. While there is other malware that can record audio, Flame is unusual in its ability to steal data in so many different ways.”
Gostev says its use of Bluetooth devices is also remarkable. “When Bluetooth is on and the corresponding option is turned on in the configuration block, it collects information about e-devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.”
Additionally, he says Flame seems to be able to record audio via the microphone, and stores the recorded audio in compressed format, via a public-source library. Information Kaspersky Lab has to date suggests this data is then sent to the command and control (C&C) server through a covert SSL channel, on a regular schedule.
Flame can also regularly take screenshots, and is sophisticated enough to take screenshots when certain “interesting” applications are run, for instance, IMs. Screenshots are stored in compressed format and also sent to the C&C server.
Creation
Gostev says Flame's creators deliberately changed the dates of creation of the files, to prevent investigators from establishing its time of creation. He says Kaspersky Lab believes it was created no earlier than 2010, and is still undergoing development.
According to the company's data, Flame has been in use since August 2010, and based on collateral data, Kaspersky is certain that the malware was in the wild as early as in February or March 2010.
As to its creators, Gostev says there are three major players in the cyber crime space: hacktivists, cyber criminals and nation states. Since Flame's purpose is not to steal money from bank accounts, and differs from the less sophisticated hack tools and malware used by the hacktivists, Kaspersky Lab has concluded that in all likelihood, it comes from the third group.
Moreover, its geography and complexity leave little doubt that it was a nation state that sponsored the enormous amount of research that must have gone into it. Kaspersky says more than that cannot be known, as there is no information in the code or otherwise that can tie it to any specific nation state.
Share