Feeds

Flame espionage weapon linked to MORE mystery malware

Command systems weren't just directing data-raiding worm

The Essential Guide to IT Transformation

Forensic analysis of two command-and-control servers for the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected - and has links to other mystery software nasties.

Flame was built by a group of at least four developers as early as December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations' International Telecommunication Union.

The malware, which infected Microsoft Windows computers across the Middle East, came to light in May when the Iranian authorities found it siphoning off data to foreign handlers.

Over the past six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.

Despite these efforts, the well-funded Flame handlers left behind a number of clues. "The C&C servers were disguised to look like a common content management system to hide the true nature of the project from hosting providers or random investigations," a statement by Kaspersky Labs explained. "The servers were able to receive data from infected machines using four different protocols; only one [was used by] computers to attack with Flame.

"The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown."

The command-and-control infrastructure associated with Flame has since been dismantled.

"They [the command servers] are all dead," Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. "About 35 C&C servers were active during the past two to three years, I believe five or six were active in May 2012."

Flame's control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers ran the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like an ordinary web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded to the systems.

"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers," said Alexander Gostev, chief security expert at Kaspersky Lab. "Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep.

"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale."

There's no evidence to suggest that Flame's command servers were used to control other known cyber-weapons - such as Stuxnet or Gauss - but they were used to operate a mystery malware strain, codenamed "SPE" by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.

A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here.

Eternal Flame

The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.

Flame weighs in at a monster 20MB - 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 hash collision attack to create counterfeit Microsoft security certificates, allowing malicious software posing as legitimate Windows Update downloads to be installed.

Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran's controversial nuclear enrichment programme. This information was used by Stuxnet to target the country's nuke centrifuge cyber-sabotage mission.

The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory although hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.