Flame (malware)

Last updated

Flame, [lower-alpha 1] also known as Flamer, sKyWIper, [lower-alpha 2] and Skywiper, [2] is modular computer malware discovered in 2012 [3] [4] that attacks computers running the Microsoft Windows operating system. [5] The program is used for targeted cyber espionage in Middle Eastern countries. [1] [5] [6]

Contents

Its discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer Emergency Response Team (CERT), [5] Kaspersky Lab [6] and CrySyS Lab of the Budapest University of Technology and Economics. [1] The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." [1] Flame can spread to other systems over a local network (LAN). It can record audio, screenshots, keyboard activity and network traffic. [6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. [7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers. [6]

According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines, [7] with victims including governmental organizations, educational institutions and private individuals. [6] At that time 65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, [3] [6] with a "huge majority of targets" within Iran. [8] Flame has also been reported in Europe and North America. [9] Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent. [10]

Flame is linked to the Equation Group by Kaspersky Lab. However, Costin Raiu, the director of Kaspersky Lab's global research and analysis team, believes the group only cooperates with the creators of Flame and Stuxnet from a position of superiority: "Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame." [11]

Recent research has indicated that Flame is positioned to be remembered as one of the most significant and intricate cyber-espionage tools in history. Using a sophisticated strategy, Flame managed to penetrate numerous computers across the Middle East by falsifying an authentic Microsoft security certificate. [12]

In 2019, researchers Juan Andres Guerrero-Saade and Silas Cutler announced their discovery of the resurgence of Flame. [13] [14] The attackers used 'timestomping'[ clarification needed ] to make the new samples look like they were created before the 'suicide' command. However, a compilation error included the real compilation date (c.2014). The new version (dubbed 'Flame 2.0' by the researchers) includes new encryption and obfuscation mechanisms to hide its functionality. [15]

History

Flame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers. [7] As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after one of the main modules inside the toolkit [FROG.DefaultAttacks.A-InstallFlame]. [7]

According to Kaspersky, Flame had been operating in the wild since at least February 2010. [6] CrySyS Lab reported that the file name of the main component was observed as early as December 2007. [1] However, its creation date could not be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994. [7]

Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet. [16] At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator. [17] However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware. [7] Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years. [7]

On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks. [7] After Flame's exposure in news media, Symantec reported on 8 June that some Flame command and control (C&C) computers had sent a "suicide" command to infected PCs to remove all traces of Flame. [10]

According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines, [7] with victims including governmental organizations, educational institutions and private individuals. [6] At that time the countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. [3] [6] A sample of the Flame malware is available at GitHub.

Operation

NameDescription
List of code names for various families of modules in Flame's source code and their possible purpose [1]
FlameModules that perform attack functions
BoostInformation gathering modules
FlaskA type of attack module
JimmyA type of attack module
MunchInstallation and propagation modules
SnackLocal propagation modules
SpotterScanning modules
TransportReplication modules
EuphoriaFile leaking modules
HeadacheAttack parameters or properties

Flame is an uncharacteristically large program for malware at 20  megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection. [6] [18] The malware uses five different encryption methods and an SQLite database to store structured information. [1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications. [1] The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems. [lower-alpha 3] [1] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software. [1] Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system. [18]

Flame is not designed to deactivate automatically, but supports a "kill" function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers. [7]

Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority. [19] The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft. [19] A successful collision attack against a certificate was previously demonstrated in 2008, [20] but Flame implemented a new variation of the chosen-prefix collision attack. [21]

Deployment

Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. [6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices. [7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers. [6]

Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage. [22] It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes". [23]

Using a technique known as sinkholing, Kaspersky demonstrated that "a huge majority of targets" were within Iran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files. [8] Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes. [8]

A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely. [24]

Origin

On 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel's military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts. [25]

According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it." [3] Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers. [26] After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability. [27]

Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel". [28] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect". Other commentators named the U.S. as possible perpetrators. [26] Richard Silverstein, a commentator critical of Israeli policies, claimed that he had confirmed with a "senior Israeli source" that the malware was created by Israeli computer experts. [26] The Jerusalem Post wrote that Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible, [26] but an Israeli spokesperson later denied that this had been implied. [29] Unnamed Israeli security officials suggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other Western nations. [30] The U.S. has officially denied responsibility. [31]

A leaked NSA document mentions that dealing with Iran's discovery of FLAME is an NSA and GCHQ jointly-worked event, [32] clearing Israel's military of all blame.

See also

Notes

  1. "Flame" is one of the strings found in the code, a common name for attacks, most likely by exploits [1]
  2. The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware [1]
  3. MS10-061 and MS10-046

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

The Central Intelligence Agency (CIA) has repeatedly intervened in the internal affairs of Iran, from the Mosaddegh coup of 1953 to the present day. The CIA is said to have collaborated with the last Shah, Mohammad Reza Pahlavi. Its personnel may have been involved in the Iran-Contra affair of the 1980s. More recently in 2007-8 CIA operatives were claimed to be supporting the Sunni terrorist group Jundallah against Iran, but these claims were refuted by a later investigation.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

The Stars virus is a computer virus which infects computers running Microsoft Windows. It was named and discovered by Iranian authorities in April 2011. Iran claimed it was used as a tool to commit espionage. Western researchers came to believe it is probably the same thing as the Duqu virus, part of the Stuxnet attack on Iran.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Operation Olympic Games was an ostensible and still unacknowledged campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities likely by the United States and Israel. As reported, it is one of the first known uses of offensive cyber weapons. Started under the administration of George W. Bush in 2006, Olympic Games was accelerated under President Obama, who heeded Bush's advice to continue cyber attacks on the Iranian nuclear facility at Natanz. Bush believed that the strategy was the only way to prevent an Israeli conventional strike on Iranian nuclear facilities.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200, an Israeli Intelligence Corps unit of the Israel Defense Forces. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 "sKyWIper: A Complex Malware for Targeted Attacks" (PDF). Budapest University of Technology and Economics. 28 May 2012. Archived from the original (PDF) on 28 May 2012. Retrieved 29 May 2012.
  2. "Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East". Symantec. Archived from the original on 31 May 2012. Retrieved 30 May 2012.
  3. 1 2 3 4 Lee, Dave (28 May 2012). "Flame: Massive Cyber-Attack Discovered, Researchers Say". BBC News. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
  4. McElroy, Damien; Williams, Christopher (28 May 2012). "Flame: World's Most Complex Computer Virus Exposed". The Daily Telegraph. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
  5. 1 2 3 "Identification of a New Targeted Cyber-Attack". Iran Computer Emergency Response Team. 28 May 2012. Archived from the original on 29 May 2012. Retrieved 29 May 2012.
  6. 1 2 3 4 5 6 7 8 9 10 11 12 Gostev, Alexander (28 May 2012). "The Flame: Questions and Answers". Securelist. Archived from the original on 30 May 2012. Retrieved 16 March 2021.
  7. 1 2 3 4 5 6 7 8 9 10 11 Zetter, Kim (28 May 2012). "Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers". Wired. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
  8. 1 2 3 Lee, Dave (4 June 2012). "Flame: Attackers 'sought confidential Iran data'". BBC News. Retrieved 4 June 2012.
  9. Murphy, Samantha (5 June 2012). "Meet Flame, the Nastiest Computer Malware Yet". Mashable.com. Retrieved 8 June 2012.
  10. 1 2 "Flame malware makers send 'suicide' code". BBC News. 8 June 2012. Retrieved 8 June 2012.
  11. Equation: The Death Star of Malware Galaxy Archived 17 February 2015 at the Wayback Machine , SecureList, Costin Raiu (director of Kaspersky Lab's global research and analysis team): "It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."
  12. Munro, Kate (1 October 2012). "Deconstructing Flame: the limitations of traditional defences". Computer Fraud & Security. 2012 (10): 8–11. doi:10.1016/S1361-3723(12)70102-1. ISSN   1361-3723.
  13. Zetter, Kim (9 April 2019). "Researchers Uncover New Version of the Infamous Flame Malware". www.vice.com. Retrieved 6 August 2020.
  14. Chronicle (12 April 2019). "Who is GOSSIPGIRL?". Medium. Retrieved 15 July 2020.
  15. Guerrero-Saade, Juan Andres; Cutler, Silas (January 2019). "Flame 2.0: Risen from the Ashes".{{cite journal}}: Cite journal requires |journal= (help)
  16. Hopkins, Nick (28 May 2012). "Computer Worm That Hit Iran Oil Terminals 'Is Most Complex Yet'". The Guardian. Archived from the original on 31 May 2012. Retrieved 29 May 2012.
  17. Erdbrink, Thomas (23 April 2012). "Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet". The New York Times. Archived from the original on 31 May 2012. Retrieved 29 May 2012.
  18. 1 2 Kindlund, Darien (30 May 2012). "Flamer/sKyWIper Malware: Analysis". FireEye. Archived from the original on 2 June 2012. Retrieved 31 May 2012.
  19. 1 2 "Microsoft releases Security Advisory 2718704". Microsoft. 3 June 2012. Retrieved 4 June 2012.
  20. Sotirov, Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar, David; Osvik, Dag Arne; de Weger, Benne (30 December 2008). "MD5 Considered Harmful Today" . Retrieved 4 June 2011.
  21. Stevens, Marc (7 June 2012). "CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame Spy Malware". Centrum Wiskunde & Informatica. Archived from the original on 28 February 2017. Retrieved 9 June 2012.
  22. Cohen, Reuven (28 May 2012). "New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive Information'". Forbes. Archived from the original on 31 May 2012. Retrieved 29 May 2012.
  23. Albanesius, Chloe (28 May 2012). "Massive 'Flame' Malware Stealing Data Across Middle East". PC Magazine. Archived from the original on 30 May 2012. Retrieved 29 May 2012.
  24. "Flame virus: Five facts to know". The Times of India. Reuters. 29 May 2012. Archived from the original on 30 May 2012. Retrieved 30 May 2012.
  25. Nakashima, Ellen (19 June 2012). "U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say". The Washington Post. Retrieved 20 June 2012.
  26. 1 2 3 4 "Flame Virus: Who is Behind the World's Most Complicated Espionage Software?". The Daily Telegraph. 29 May 2012. Archived from the original on 31 May 2012. Retrieved 29 May 2012.
  27. "Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected". Kaspersky Lab. 11 June 2012.
  28. Erdbrink, Thomas (29 May 2012). "Iran Confirms Attack by Virus That Collects Information". The New York Times. Archived from the original on 6 June 2012. Retrieved 30 May 2012.
  29. Tsukayama, Hayley (31 May 2012). "Flame cyberweapon written using gamer code, report says". The Washington Post. Retrieved 31 May 2012.
  30. "Iran: 'Flame' Virus Fight Began with Oil Attack". Time . 31 May 2012. Archived from the original on 3 June 2012. Retrieved 31 May 2012.{{cite magazine}}: Unknown parameter |agency= ignored (help)
  31. "Flame: Israel rejects link to malware cyber-attack". BBC News. 31 May 2012. Retrieved 3 June 2012.
  32. "Visit Précis: Sir Iain Lobban, KCMG, CB; Director, Government Communications Headquarters (GCHQ) 30 April 2013 – 1 May 2013" (PDF).
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.