Latest news
New cyber weapon targets systems in the Middle East
Posted on 28.05.2012
A new sophisticated piece of malware dubbed "Flame" has been discovered in systems belonging to users in many Middle Eastern countries and is though to have been developed by a nation state.
Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran), CrySyS found a couple of Flame-infected systems in other countries such as Hungary.
According to a press release by the International Telecommunication Union (ITU), Kaspersky Lab researchers discovered Flame while searching for the "Wiper" malware, which allegedly deleted data on a number of computers in Iran.
"This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been 'in the wild' for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it," it has been explained.
What is known about this malicious toolkit so far?
"First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," Kaspersky Lab's Alexander Gostev explained.
It's primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered," states ITU. "The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet."
Gostev points out that the worst thing about this discovery is the fact that the Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system. And although Flame has no similarities with Stuxnet and Duqu, Flame is considered to belong in the "malware as cyber weapon" category.
"The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country," Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, commented. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The researchers believe that Flame was not developed by the authors of Stuxnet and Duqu, and that it might have been released before or simultaneously with them.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created. Kaspersky Lab experts know it has been detected in the wild in February 2010, but are also convinced that earlier versions of the malware could have been floating around.
It is still unclear if the "Wiper" malware Kaspersky Lab was contracted to find is actually Flame, but it seems that it could be a module of the toolkit that goes by the similar name.
Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran), CrySyS found a couple of Flame-infected systems in other countries such as Hungary.
According to a press release by the International Telecommunication Union (ITU), Kaspersky Lab researchers discovered Flame while searching for the "Wiper" malware, which allegedly deleted data on a number of computers in Iran.
"This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been 'in the wild' for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it," it has been explained.
What is known about this malicious toolkit so far?
"First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," Kaspersky Lab's Alexander Gostev explained.
It's primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered," states ITU. "The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet."
Gostev points out that the worst thing about this discovery is the fact that the Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system. And although Flame has no similarities with Stuxnet and Duqu, Flame is considered to belong in the "malware as cyber weapon" category.
"The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country," Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, commented. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The researchers believe that Flame was not developed by the authors of Stuxnet and Duqu, and that it might have been released before or simultaneously with them.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created. Kaspersky Lab experts know it has been detected in the wild in February 2010, but are also convinced that earlier versions of the malware could have been floating around.
It is still unclear if the "Wiper" malware Kaspersky Lab was contracted to find is actually Flame, but it seems that it could be a module of the toolkit that goes by the similar name.
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
