Flame

by Andy on May 31st, 2012 in Industry and Security News.

On 28th May 2012, Iran National CERT published a report describing a new and complex threat dubbed “Flame” that was thought to be responsible for incidents of “mass data loss in Iran”. The report linked this newly discovered threat with the notorious Stuxnet and Duqu attacks.

Shortly after, the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics published a report   describing an apparently identical threat that may have been active “for as long as five to eight years”.

Flame could be the most advanced and complex malware toolkit ever discovered and while analysis of the malware is in its early stages, at 20mb in size (around twenty times as much code as Stuxnet and one hundred times larger than typical malware built to steal financial information), it is likely that it will take years to fully understand.

While there are technical similarities to to Stuxnet, such as exploiting the MS10-061 and MS10-046 vulnerabilities, in contrast to Stuxnet, Flame was designed not to cause damage, but to silently collect information.

Flame has advanced functionality to capture a wide variety of data in many ways. It monitors machines for useful intelligence from emails and documents, spies on network traffic to intercept sensitive data, can take screenshots when applications like instant messengers are running, captures keystrokes, records audio if a microphone is present – the list goes on. It appears to have the capability to scan for nearby Bluetooth devices, and advertises the infected machine as a discoverable device.

When an internet connection is available, Flame will connect to command and control servers to download new modules and periodically upload collected data.

Flame will also make attempts to identify programs that could potentially threaten it such as firewalls and anti-virus programs.

It is clear that Flame atypical of “regular malware” – it was not developed by cybercriminals to steal money from banks and is vastly more sophisticated than tools deployed by hacktivists, so at this point, speculating that a nation state had a hand in such a complex espionage tool is not unreasonable, especially taking into account the location of the targets: Iran, Syria and other Middle Eastern countries.

Analysis of Flame is in the early stages, although more information will be available over the coming days and weeks.

Further reading:
http://www.certcc.ir/index.php?name=news&file=article&sid=1894
http://www.crysys.hu/skywiper/skywiper.pdf