Original URL: http://www.theregister.co.uk/2012/05/31/flame_hype_analysis/

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

By John Leyden

Posted in Security, 31st May 2012 15:32 GMT

Analysis Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code.

The cyber-espionage toolkit – reckoned to have been in circulation for at least two years and possibly much longer – created a fire-storm of publicity after Iranian authorities published a stark warning about the virus on Monday.

On the same day, antivirus experts at Kaspersky Labs and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who had been independently working on analysing the same malware, published their own preliminary analyses.

The Kaspersky experts had been called in by the International Telecommunication Union, which wanted to crack the riddle of a mystery Trojan outbreak that was wiping data off compromised machines in the Middle East.

Flame, which comes with a complex variety of libraries and swappable modules, weighs in at a monster (arguably bloated) 20MB. That's about 40 times larger than Stuxnet, a heavyweight itself by malware standards.

But size is far less important than how many systems it has infected and what damage it causes.

Who's on the hit-list?

Estimates from Kaspersky (here) suggest Flame has only infected 1,000 Windows-powered computers almost exclusively across the Middle East in countries including Iran, Israel and Syria, though it has been found as far down as Sudan in north Africa.

Compromised targets include governmental organisations, educational institutions and home users. Circumstantial evidence suggests that the data-stealing malware infected systems at Iran's main oil export terminal on Kharg Island in the Persian Gulf last month, prompting a decision to disconnect systems there. Flame may also have infected the computers of high-ranking officials, causing a "massive" data loss, unconfirmed reports suggest.

Iranian authorities, who claim to have developed an antidote to Flame, are pointing the finger of blame towards Israel, suggesting the encryption scheme used by the worm is characteristic of those built by Israeli malware writers. The encryption link is tenuous at best.

Nonetheless the Iranian angle adds intrigue, especially in light of the Kharg Island infection. Yet a sober look at the malware suggests its spread is modest and its actions on compromised systems are standard fare for modern viruses, contrary to reports earlier this week.

Game changer? Maybe not

Rather than redefining cyberwar and cyberespionage, as Kasperky researchers initially claimed amid Iranian warnings that the malware was "a close relation to the Stuxnet and Duqu targeted attacks", Flame is bloated and overhyped, according to rival security vendors.

Flame is a precise attack toolkit rather than a general-purpose cyber-weapon, the argument goes. It hasn't spread very far and might well be restricted to systems administrators of Middle East governments.

"While it really doesn't do anything we haven't seen before in other malware attacks — what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system," Patrik Runald of Websense explains.

"Also, Flame has been operating under the radar for at least two years, which counter-intuitively may partially be attributed to its large size."

My dad's botnet is bigger than yours

By comparison to the 1,000-or-so systems hit by Flame, the Flashback Trojan infected 600,000 Mac OS X computers earlier this year and created the first botnet on Apple machines in the process.

The DNSChanger Trojan, linked to click-fraud and scareware scams, compromised four million Windows machines prior to a takedown operation in March.

The infamous Conficker worm hit upwards of 9 million systems, forcing the disconnection of systems at Greater Manchester Police for three days while also causing disruption at a hospital and the local council, and even managed to infiltrate the Houses of Parliament.

A run of Windows worms – Sasser, Nimda and Code Red – caused network congestion and comparable disruption when they appeared in separate incidents between 1999 and 2004. Viruses that spread by email attachments – such as the Love Bug, SoBig and Anna Kournikova nasties – brought mail servers and inboxes to their knees.

Banking Trojans created using the ZeuS or SpyEye toolkits have resulted in massive losses to banks and small businesses while infecting hundreds of thousands of systems.

Flame, on the other hand, has only infected hundreds of PCs. The malware is clearly designed for information-gathering and espionage but, again contrary to early reports, it isn't doing anything much out of the ordinary from a technical perspective.

Spy craft

The malware infects computers running Microsoft's operating system, and stealthily installs itself before stealing information, logging keystrokes, sniffing network traffic and capturing screenshots. It can also surreptitiously turn on microphones to record audio conversations, and then uploads all of this data to remote command-and-control servers.

Flame is built with many interlinked modules and is capable of handling a complex mix of remote instructions. Dozens of pieces of malware or malware frameworks infecting millions of PCs bundle similar capabilities.

Slurps info from Bluetooth kit

When Bluetooth hardware is available, Flame collects information about discoverable devices near the infected machine.

Only the Bluetooth activity in this list is in any way remarkable, says PandaLabs.

Another curious and somewhat innovative feature of the malware is its ability to turn its worm-like spreading functionality on and off.

"Even though it is a worm, its spreading mechanisms are disabled. It looks like whoever is behind it can activate that feature when needed," explains Luis Corrons, technical director of PandaLabs.

The malware also bundles clean-up routines designed to purge it from systems that have been compromised.

"There seems to be a module named 'browse32' that's designed to search for all evidence of compromise (eg, malware components, screenshots, stolen data, breadcrumbs, etc) and carefully remove them," Gunter Ollmann, VP of Research at Damballa explains.

"While many malware families employ a clean-up capability to hide the initial infection, few include the capability of removing all evidence on the host (beyond trashing the entire computer). This, to my mind, is more reflective of a tool set designed for human interactive control — ie, for targeted attacks."

If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.

Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.

A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.

It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.

Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.

Very spooky software

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.

By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.

A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.

The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.

This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.

Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.

Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.

Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.

It's all hyperbollox

The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.

"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.

"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.

"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.

"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."

Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".

While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.

How did it slip under the radar?

The stealthy spread of Flame for at least two years before it was detected has provoked some soul-searching among segments of the security vendor community. Similarly long lags preceded the detection of Stuxnet and Duqu.

Wieland Alge, general manager EMEA at Barracuda Networks, commented: “The scariest and most shocking aspect is the length of time that Flame has remained undetected. Kaspersky’s own security experts estimate that Flame has been infecting systems and stealing data for several years, possibly as long as five years."

Mikko Hypponen, chief research officer F-Secure, said the extended run on Flame and Stuxnet prior to their discovery ought not to have happened and pointed to a failure by security vendors. Hypponen is breaking the party line in even suggesting this, with most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long.

"The worst part of Flame? It has been spreading for years," Hypponen writes. "Stuxnet, Duqu and Flame are all examples of cases where we – the antivirus industry – have failed. All of these cases were spreading undetected for extended periods of time."

Hypponen's colleague Sean Sullivan later qualified these remarks, in a blog on the Flame outbreak, by saying that commercial antivirus products are not really designed to defend against targeted, state-sponsored spyware.

"Commercial-based antivirus and security products are designed for and focus on protecting you from prevalent classes of in the wild threats coming from criminals, thugs and digital mobsters (and it's a constant battle)," he said. "It is not designed to protect you from the digital equivalent of Seal Team Six. So if you're the guy that finds himself in the crosshairs... you're not safe."

Sullivan goes on to argue that even though the technology used by Flame was hardly innovative, its deployment was sophisticated.

"Flame is a 'limited edition' spy tool with a limited scope that was used very carefully. It didn't need to evolve. Clearly there was advanced planning involved, but that doesn't necessarily make it what we would call advanced technology."

James Todd, technical lead for Europe at FireEye, issued a blunter criticism against the shortcomings of antivirus software highlighted by the Flame outbreak: "The fact that Flame evaded detection for so long, and by so many different antivirus tools is deplorable, and proves that the speed at which malicious malware is developed is just steamrolling those organisations trying to keep up."

Secret's out

Security vendors are almost unanimous in saying that Flame poses little or no threat to anyone – even the targeted system administrators in the Middle East – now it has been detected. "Flame is no longer a secret and so it will therefore be abandoned... Op sec has been compromised," F-Secure's Sullivan concludes.

Ollmann argues that Flame stayed under the radar because it was carefully managed, rather than because of the information security failing of its victims or the technologies they used.

He explained: "It would be simple to argue that these regions aren’t known for employing cutting-edge anti-malware defences and aren’t well served with local-language versions of the most capable desktop antivirus suites, but I think the answer is a little simpler than that: the actors behind this threat have successfully managed their targets and victims – keeping a low profile and not going for the masses or complex setups."

Henry Harrison, BAE System’s technical director, said the massive fuss about Flame has deflected attention from the wider cyber-espionage danger. He argued that security firms are talking up the importance of various threats in an attempt to generate publicity for themselves and buzz about the products they sell.

"Individual cases such as Flame – and, a little while back, Shady RAT – are heavily publicised by the security firms who investigate them, but the sad reality is that this sort of attack is not at all unusual," he said.

"Targeted data-stealing attacks are a common phenomenon – but in most cases they don't get reported. That's either because the companies affected didn't report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don't even realise that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported."

It's like analysing the blueprints for a whole city

Meanwhile, back at the coal-face, antivirus analysts are attempting to figure out the internals of Flame, a process likely to take months if not years.

"Full understanding of Flamer requires analysing approximately 60 embedded Lua scripts, reverse-engineer each or the sub-components, then piece it back together," Symantec explains. "As an analogy, reverse-engineering Flame as opposed to standard malware is like re-creating an architectural drawing, not just for a single house, but for an entire city.

"The threat is a well designed platform including, among other things, a web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality." ®