Feeds

Flame espionage weapon linked to MORE mystery malware

Command systems weren't just directing data-raiding worm

The essential guide to IT transformation

Forensic analysis of two command-and-control servers for the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected - and has links to other mystery software nasties.

Flame was built by a group of at least four developers as early as December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations' International Telecommunication Union.

The malware, which infected Microsoft Windows computers across the Middle East, came to light in May when the Iranian authorities found it siphoning off data to foreign handlers.

Over the past six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.

Despite these efforts, the well-funded Flame handlers left behind a number of clues. "The C&C servers were disguised to look like a common content management system to hide the true nature of the project from hosting providers or random investigations," a statement by Kaspersky Labs explained. "The servers were able to receive data from infected machines using four different protocols; only one [was used by] computers to attack with Flame.

"The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown."

The command-and-control infrastructure associated with Flame has since been dismantled.

"They [the command servers] are all dead," Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. "About 35 C&C servers were active during the past two to three years, I believe five or six were active in May 2012."

Flame's control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers ran the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like an ordinary web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded to the systems.

"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers," said Alexander Gostev, chief security expert at Kaspersky Lab. "Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep.

"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale."

There's no evidence to suggest that Flame's command servers were used to control other known cyber-weapons - such as Stuxnet or Gauss - but they were used to operate a mystery malware strain, codenamed "SPE" by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.

A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here.

Eternal Flame

The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.

Flame weighs in at a monster 20MB - 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 hash collision attack to create counterfeit Microsoft security certificates, allowing malicious software posing as legitimate Windows Update downloads to be installed.

Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran's controversial nuclear enrichment programme. This information was used by Stuxnet to target the country's nuke centrifuge cyber-sabotage mission.

The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory although hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?