Latest news
New cyber weapon targets systems in the Middle East
Posted on 28.05.2012
A new sophisticated piece of malware dubbed "Flame" has been discovered in systems belonging to users in many Middle Eastern countries and is though to have been developed by a nation state.
Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran), CrySyS found a couple of Flame-infected systems in other countries such as Hungary.
According to a press release by the International Telecommunication Union (ITU), Kaspersky Lab researchers discovered Flame while searching for the "Wiper" malware, which allegedly deleted data on a number of computers in Iran.
"This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been 'in the wild' for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it," it has been explained.
What is known about this malicious toolkit so far?
"First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," Kaspersky Lab's Alexander Gostev explained.
It's primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered," states ITU. "The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet."
Gostev points out that the worst thing about this discovery is the fact that the Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system. And although Flame has no similarities with Stuxnet and Duqu, Flame is considered to belong in the "malware as cyber weapon" category.
"The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country," Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, commented. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The researchers believe that Flame was not developed by the authors of Stuxnet and Duqu, and that it might have been released before or simultaneously with them.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created. Kaspersky Lab experts know it has been detected in the wild in February 2010, but are also convinced that earlier versions of the malware could have been floating around.
It is still unclear if the "Wiper" malware Kaspersky Lab was contracted to find is actually Flame, but it seems that it could be a module of the toolkit that goes by the similar name.
Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran), CrySyS found a couple of Flame-infected systems in other countries such as Hungary.
According to a press release by the International Telecommunication Union (ITU), Kaspersky Lab researchers discovered Flame while searching for the "Wiper" malware, which allegedly deleted data on a number of computers in Iran.
"This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been 'in the wild' for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it," it has been explained.
What is known about this malicious toolkit so far?
"First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," Kaspersky Lab's Alexander Gostev explained.
It's primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered," states ITU. "The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet."
Gostev points out that the worst thing about this discovery is the fact that the Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system. And although Flame has no similarities with Stuxnet and Duqu, Flame is considered to belong in the "malware as cyber weapon" category.
"The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country," Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, commented. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The researchers believe that Flame was not developed by the authors of Stuxnet and Duqu, and that it might have been released before or simultaneously with them.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created. Kaspersky Lab experts know it has been detected in the wild in February 2010, but are also convinced that earlier versions of the malware could have been floating around.
It is still unclear if the "Wiper" malware Kaspersky Lab was contracted to find is actually Flame, but it seems that it could be a module of the toolkit that goes by the similar name.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
