Yet another Iran-focused, highly advanced piece of espionage malware discovered
By Madison Ruppert
Editor of End the LieRussian anti-virus firm Kaspersky Lab has discovered an espionage toolkit, which they have dubbed “Flame,” targeting systems in the Middle East and North Africa for no less than two years, with the largest number of infections in Iran.
Other nations being targeted are Lebanon, Syria, Sudan, the Occupied Palestinian Territories as well as other counties in the region.
While the code behind this malware is completely different from other large-scale, state-run operations like that behind the now infamous Stuxnet and Duqu, it also seems quite likely to be the product of a nation-state.
Researchers as Kaspersky believe that this software dates back to around 2007, the same time when Stuxnet and Duqu were developed.
However, Flame is significantly more complex than Stuxnet and also has a completely different purpose and composition than the previously discovered malicious software.
Indeed it is so complex that researchers believe it could take a shocking 10 years to fully understand the software.
It reportedly appears to be written by different programmers, but any nation engaged in a cyberwarfare effort of this scale would almost certainly have more than just a couple coders at their disposal.
The sheer complexity of the code, in addition to the massive geographic spread of the infections along with the highly advanced behavior and flexibility of the software makes Flame almost certainly the product of a nation-state, not your run of the mill criminal outfit.
Interestingly, the researchers state that Flame very well may be part of a parallel project created by the same contractors who were hired by the country (or countries) behind Stuxnet and Duqu.
If the experts are correct, this would mean that it is likely the case that Israel and the United States are behind Flame, since researchers have shown strong evidence indicating that the U.S. and Israel were behind the previous infections.
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” explained Kaspersky CEO and co-founder Eugene Kaspersky.
“The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country,” he added.
Indeed, such technology could be leveled at any nation that uses computer systems, yet the infections are concentrated to a large extent in Iran and other Middle Eastern countries. This should serve as another strong indication of who is behind the ongoing attack.
The early analysis of Flame being conducted by researchers with Kaspersky has determined that it is first and foremost aimed at espionage and intelligence gathering.
It is apparently intended to spy on users of infected systems and steal data from the infected computers. This includes documents, recorded conversations through remote microphone activation and keystrokes.
Flame is then able to open a so-called backdoor to the infected systems and thus allow the individuals controlling the software to adjust the malware and add new functions to their cyberwarfare arsenal.
The software a is a mere 20 megabytes when all modules are installed and shows some highly unusual properties, such as some of the code being written in the LUA programming language, which is far from standard in malware.
The malware contains some 20 plugins which can be interchanged in order to enable various functions and utilizes multiple libraries, SQLite3 databases and both strong and weak levels of encryption.
Kaspersky Lab characterizes Flame as “one of the most complex threats ever discovered.”
If this was the product of a typical cyber-criminal ring, it would be nothing short of flabbergasting.
“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, the chief security expert at Kaspersky Lab.
“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev stated.
“It took us half-a-year to analyze Stuxnet,” he explained. “This is 20-times more complicated. It will take us 10 years to fully understand everything.”
For one of the world’s foremost anti-virus firms, this is quite a strong statement and a strong indicator that it is indeed a nation or conglomeration of nations behind it.
Researchers at Kaspersky originally came upon the malware some two weeks ago.
After the United Nations’ International Telecommunications Union (ITU) asked Kaspersky Lab to investigate reports from April claiming that computers belonging to the Iranian Oil Ministry as well as the Iranian National Oil Company had been infected with malware which was stealing and deleting data from their systems, researchers discovered components which they pieced together as parts of the larger Flame malware.
When searching through their reporting archive containing the suspect filenames sent from customer machines, they discovered an MD5 hash and filename which appeared to only be deployed on Iranian and Middle Eastern computers.
However, they are now treating Flame as a separate piece of malware from what was originally reported as Wiper/Viper (depending on the news source).
In fact, they believe that it is a completely separate infection and are treating it as such.
The name “Flame” comes from one of the main modules in the highly-advanced espionage toolkit, which is one of many modules allowing for some astoundingly invasive monitoring of infected systems.
Among the some 20 modules is one which allows attackers to remotely activate the internal microphone of an infected computer, thus covertly recording conversations held over Voice over IP programs like Skype or any conversations being held near the computer.
Another module turns computers with Bluetooth functionality into a Bluetooth beacon, scanning for other Bluetooth-enabled devices in range of the computer.
It then steals the names, phone numbers and other information from the devices’ contacts folder, thus gathering even more potentially sensitive information.
Yet another module frequently captures, stores and transmits screenshots of activity on the infected computer. It can capture any and all activity including communications held over instant messenger programs or email, then sends the screenshots through a secure channel to the command-and-control servers belonging to whoever is behind the malware.
It just gets worse with a so-called “sniffer” module which scans all traffic on the network which an infected machine is connected to.
This component then captures the username and password hashes transmitted across the entire network, which can then be used to gain access to high-level privileges restricted to administrative accounts. Attackers can then use these hijacked accounts to gain access to even more systems and parts of the network.
While Flame indeed contains a module called Viper, it is apparently used to transfer the stolen data from an infected machine to the attackers’ command-and-control servers. However, news reports originating out of Iran seemed to show that the Wiper/Viper malware mostly focused on deleting massive chunks of data from the infected systems.
To make matters even more confusing, when Kaspersky researchers were able to examine a system which had been destroyed by the Wiper/Viper malware, they were unable to find a single trace of the malware on the system.
This prevented them from comparing Wiper/Viper to the Flame files they are currently analyzing, and Gostev stated that the disk which was destroyed by the Wiper/Viper program was mostly filled with random trash, preventing any meaningful recovery.
“We did not see any sign of Flame on that disk,” Gostev added.
Interestingly, it appears that Flame is loaded onto systems in a kind of multi-stage attack, likely because it is relatively massive in size for malicious software.
Apparently, the targeted system is first hit with a 6 megabyte component containing around six compressed modules.
This component then extracts, decompresses and decrypts the six modules contained therein, after which it writes them to various locations on the system’s disk.
The total number of modules loaded on to the targeted computer depends entirely on what the attackers intend to do on a particular machine, meaning that this malware is highly flexible and scalable.
After the modules are loaded onto the system, Flame then connects to any of some 80+ command-and-control domains in order to deliver information from the infected machine and await further instruction from the attackers.
While the malware has a pre-loaded list of around five domains, it also has an updateable list which allows the attackers to add and remove domains as needed if they are either abandoned or taken down in one way or another.
Flame then beings to capture screenshots and sniff the network which the infected machine is connected to while awaiting further instructions from the attackers.
When the infected machine is using a “high-value communication” application, such as an email client or an instant messenger, it captures screenshots every 15 seconds, while screenshots are captured every 60 seconds when other applications are in use.
“It was obvious Duqu was from the same source as Stuxnet,” Gostev explained. “But no matter how much we looked for similarities [in Flame], there are zero similarities. Everything is completely different, with the exception of two specific things.”
On similar component is an export functionality shared by both Stuxnet and Flame, which very well might provide the link between the two pieces of malware as Kaspersky researchers continue to analyze the complex code.
Also similar is the fact that both Stuxnet and Flame can spread by infecting USB thumb drives using the same autorun and .lnk vulnerabilities that Stuxnet capitalized on.
Similarly, Flame uses the same print spooler vulnerability which Stuxnet exploited in order to infect other machines on a local network.
These facts indicate that the coders behind Flame very well may have had access to the menu of exploits used by the creators of Stuxnet and Duqu.
One of the most significant differences between Stuxnet and Flame is that Flame does not automatically replicate itself like Stuxnet.
Oddly enough, these modules are disabled by default and must later be switched on by attackers before the malware will spread itself. Similarly, once a USB is inserted into an infected machine and then infected itself, the USB exploit is automatically disabled.
Researchers believe this is included in order to limit the rapid spread of Flame and thus decrease the chances it will be detected.
This is likely in response to the virulent spread of Stuxnet which helped contribute to its discovery, while Flame has been able to fly under the radar for much longer, thus being able to gather significantly more sensitive information.
It appears that the rapid-spread exploits were enabled in the earlier version of the malware but after Stuxnet was discovered and publicly exposed in July 2010 and the .lnk and print spooler vulnerabilities were patched, this functionality was disabled.
Indeed, Flame was actually deployed before Stuxnet was discovered and before Microsoft patched the vulnerabilities in August and September of 2010.
After these vulnerabilities were patched, any malware attempting to utilize these vulnerabilities would be quickly detected if the infected systems had an updated antivirus program.
Interestingly, Flame is so advanced that it even checks for updated versions of the anti-virus programs on the infected machine and then bases the modules to be used on this finding.
The researchers still do not know how the first Flame infection occurs on a computer before it begins to spread.
Even more interesting is that the malware apparently has the ability to infect a fully updated and patched Windows 7 computer. This means that either Microsoft has allowed some holes to remain in place for the malware to infect targeted countries, or there is a zero-day exploit in the latest Windows 7 which has yet to be discovered by researchers.
To be perfectly honest, I wouldn’t be all too surprised if it was found that Microsoft deliberately left a vulnerability in place. I think it is also somewhat questionable that not a single anti-virus firm was able to detect Flame, other than Russia-based Kaspersky.
Why would it be that only a Russian firm would detect such a massive piece of malware? Consider the fact that Russia is one of the few states continuing to stand against the Western-Israeli efforts targeting Iran and other Middle Eastern/North African countries.
Kaspersky has determined that the earliest sign of Flame goes back to a Lebanese computer in August of 2010 based on a filename belonging to Flame popping up on a customer’s computer.
However, this same file name was reported by another firm, Webroot, on an Iranian computer in March of 2010.
Moreover, at least one component found in Flame has been detected on European computers in December of 2007 and in Dubai in April of 2008.
This means that parts of Flame could have been active around the world much earlier than previously thought.
Currently, Kaspersky researchers believe that Flame has infected a whopping 1,000 machines around the world. This estimation is based on calculating the number of their own customers who have infected computers, then using this figure to estimate the number of infected machines being used by customers who use other anti-virus firms.
Another aspect of Flame which is quite different from Stuxnet and Duqu is that the infections Kaspersky has unearthed so far appear to be throughout various industries.
This means that it is not targeting a specific industry like the energy industry or even specific systems, like industrial control systems, which Stuxnet and Duqu targeted, respectively.
This led researchers to conclude that Flame was likely created to be the Swiss Army knife of malware, able to target any and all industries and systems.
So far, those who Kaspersky has found to be infected range from private corporations to educational institutions to individuals to government entities.
Symantec has now joined in the analysis of Flame as well, and they indicate that most of the customers who were infected by the malware are located in the West Bank, Hungary, Iran and Lebanon.
Additional reports of infections have been received in Austria, Hong Kong, the United Arab Emirates and Russia.
Interestingly, researchers attempting to determine when exactly Flame modules were created have been frustrated by the apparent manipulation of the compilation date of the modules by the creators of the malware.
“Whoever created it was careful to mess up the compilation dates in every single module,” explained Gostev.
“The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010,” he added.
Furthermore, Flame has no built-in “kill date,” which would automatically disable the malware. Yet it does give the attackers the ability to remotely kill the software if needed through yet another module.
This so-called “kill module” is called browse32 and it scans the system for every single trace of Flame, removing every single indication that the system had ever been infected, including the stolen screenshots and data files.
“When the kill module is activated, there’s nothing left whatsoever,” Gostev said.
This would make it impossible for anyone to determine that their system had been infected after the required information had been stolen and the kill module had been activated.
However, the Iranian Computer Emergency Response Team claims that they had already developed a detector aimed at uncovering what they call the “Flamer” malware.
They say that they delivered the detection software to select organizations at the beginning of May, while they also state that they have developed a tool to remove the malware.
Kaspersky believes that this “Flamer” malware – which is also what Symantec has called it – is the same as the Flame malware they have been analyzing.
The looming question that remains is: who is behind this massive, clearly highly advanced attack?
If it is indeed the same people behind Stuxnet and Duqu then chances are it is the United States and Israel who are behind Flame.
I would not be in the least bit surprised if this were the case given that Israel has trained terrorists in order to carry out assassinations in Iran and the United States has similarly trained terrorist on American soil in order to target Iran.
By comparison, deploying malware seems almost tame.
Did I forget anything or miss any errors? Would you like to make me aware of a story or subject to cover? Or perhaps you want to bring your writing to a wider audience? Feel free to contact me at [email protected] with your concerns, tips, questions, original writings, insults or just about anything that may strike your fancy.