12:30 AM
A lethal malware has been discovered recently and named ‘Flame’ by computer security-software maker Kaspersky, the Computer Emergency Response Team (CERT) at MAHER Center of Iranian National, and CrySyS Lab of the Budapest University of Technology and Economics. The malicious program is believed to be more damaging than Stuxnet – the malware that almost killed Iran’s nuclear program around 2009-10.
It was United Nations International Telecommunications Union who asked Kaspersky to investigate reports of a virus affecting Iranian Oil Ministry computers.
Kaspersky said in its report that ‘sKyWIper’(Flame) is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." Once installed, it can capture virtually anything like usernames, passwords, network traffic, screenshots, documents, emails, audio conversations, keystrokes, information on other devices after activating bluetooth and so on.
The stolen data can then be sent using a module called Wiper via a covert SSL channel to the Flame’s control servers. It seems to have infected thousands of machines so far.
On the day of announcement i.e. 28th of May 2012, it was claimed that the infection could be an espionage program targeting Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories, Middle Eastern nations and North Africa. The researchers have also determined that Flame could have been in existence since 2007 - the handiwork of the same team that was behind Stuxnet and DuQu (a malware).
Alexander Gostev, chief security expert at Kaspersky says that because of its size and complexity, complete analysis of the code may take years. “It took us half-a-year to analyze Stuxnet,” he said. “This is 20-times more complicated. It will take us 10 years to fully understand everything.”
The extent of stealth this threat involves can be further understood by Gostev’s statement, “Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”
Due to the sophistication and the geographical vastness there are reasons to indicate strongly that an organization as big as a government is behind Flame. “Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
Iran's CERT announced that it has already developed a detection program and a removal tool for Flame, and has been distributing these to its organizations for several weeks.
Researchers found MD5hash and other suspicious filenames that appeared to have been positioned only on machines in Iran and other Middle East countries. It was dubbed “Flame” after the name of a module inside it, though it is still not confirmed as to how Flame infects its initial target in the first place.
The malware is 20 MB after installation, contains multiple libraries, SQLite3 databases to store structured information, 5 levels of encryption and 20 plug-ins that can provide various functionality for the attackers. It even contains some code that is written partly in the LUA programming language and C++.
It is designed to escape security software through rootkit functionality. Furthermore, malware modules stay hidden when loaded into a process, and the memory pages are sealed with permissions like READ, WRITE and EXECUTE making them inaccessible to user applications. Flame contains no built-in deactivation date, but operators can send a module – browse32 - that deletes all traces of its files from a system when required.
Flame gets first loaded with a 6 MB component, containing compressed modules. The main component extracts, decompresses and decrypts these modules. Then it writes them to various locations on disk and connects to command-and-control domains or servers to pass-on information about the infected machine. The malware contains a list of 5 domains to which new domains can be added if the previous ones have been stopped.
All the modules get on to their jobs till they get instructions from the command server - record conversations, emails etc. Images of screen are captured every 15 seconds when a communication program like Outlook is being used, and every 60 seconds for other application.
Flame does not replicate automatically as done by Stuxnet – instead the controller or server powers on replication procedure. In fact, Flame works in a completely different framework unlike Stuxnet and DuQu with the exception of two things.
One is the export function and the other is the ability to spread through USB sticks using autorun and *.lnk files, which was part of Stuxnet too. Flame also uses print spooler vulnerability used by Stuxnet to spread through a local network.
Symantec has also begun analyzing Flame (calls it “Flamer”), and majority of its customers who have been hit by the malware are in the region of Palestinian West Bank, Hungary, Iran, and Lebanon, Austria, Russia, Hong Kong, and the United Arab Emirates.
Posted in: 
0 comments:
Post a Comment