Navigation

Researchers identify Stuxnet-like malware called 'Flame' By Lucian Constantin

May 29, 2012

IDG News Service - A new, highly sophisticated malware threat that was predominantly used in cyberespionage attacks against targets in the Middle East has been identified and analyzed by researchers from several security companies and organizations.

According to the Iranian Computer Emergency Response Team (MAHER), the new piece of malware is called Flamer and might be responsible for recent data loss incidents in Iran. There are also reasons to believe that the malware is related to the Stuxnet and Duqu cyberespionage threats, the organization said on Monday.

Malware researchers from antivirus firm Kaspersky Lab have also analyzed the malware and found that while it is similar to Stuxnet and Duqu in terms of the geographic propagation and targeting, it has different features and it is, in many ways, more complex than both of those threats.

Flame, as the Kaspersky researchers call it, is a very large attack toolkit with many individual modules. It can perform a variety of malicious actions, most of which are related to data theft and cyberespionage.

Among other things, it can use a computer's microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.

One of the toolkit's first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.

Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.

Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that's highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn't seen any malware samples before Flame that were written in the language, Kamluk said.

Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.

The Kaspersky researchers haven't found any evidence of an unknown (0-day) vulnerability being exploited by this malware, but Flame is known to have infected a fully patched Windows 7 computer, so they don't completely exclude the possibility, Kamluk said.

When infecting computers that are protected by antivirus programs, Flame avoids performing certain actions or executing malicious code that might trigger a proactive detection from those security applications. This is one of the reasons that the malware flew under the radar for so long, Kamluk said.

By checking the data from its worldwide network of malware sensors, Kaspersky Lab has managed to identify current and past Flame infections in the Middle East and Africa, predominantly in countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

However, antivirus vendor Symantec also identified past infections in Hungary, Austria, Russia, Hong Kong and the United Arab Emirates. The company doesn't dismiss the possibility that these infection reports originated from laptops that were temporarily taken abroad by travellers.

It's hard to tell what type of information the Flame authors are after, giving the wide variety of data that the malware can steal and send back to the command and control servers. A decision regarding which of the malware's modules and functionality to use is probably taken by the attackers for each particular target on a case-by-case basis, Kamluk said.

The targeted organizations don't seem to follow an industry-specific pattern, either. The malware has infected computers belonging to government agencies, educational institutions and commercial companies as well as computers owned by private individuals.

As with Duqu and Stuxnet, it's not clear who created Flame. However the malware's complexity and the amount of resources required to build something like it has led security researchers to believe that it was created or sponsored by a nation state.

Kaspersky's researchers didn't find any evidence that could tie the malware to a specific country or even region. However, there is some text written in English inside the code, Kamluk said.

"Examination of the code also leads Symantec to believe the malware was developed by a natively English speaking set of developers," a Symantec spokesman said via email. "No further observations have been made which could assist in locating the origin of the malware."

Researchers from the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics, which played an important role in the discovery and analysis of Duqu, have also released a report on the Flame malware, which they call "sKyWIper."

"The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," the CrySyS researchers said in their report. "sKyWIper is certainly the most sophisticated malware we encountered during our practice;

arguably, it is the most complex malware ever found."

PREVIOUS POSTS
May 18.12 | Even a minor lapse in security protocol can lead to major costs Posted by: Karen Goulart

read more

Apr 03.12 | Global Payments hopes to soon regain PCI compliance after breach

Global Payments hopes to soon regain PCI compliance after breach
read more

Feb 23.12 | The New Canada Not-for-profit Corporations Act: What It Might Mean for Your Franchise System’s Ad Fund

read more

Oct 11.11 | Businesses failing to comply with PCI DSS security standards: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM

Too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk, according to a report by IT services and solutions provider Verizon. Te report for a second year in a row found compliance lacking on the payment card security front. read more

May 03.11 | Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters read more

Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

ARCHIVE