Meet ‘Flame’

[Jroc]

Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based antivirus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size — the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers | Threat Level | Wired.com

 

[Mad Scientist]

Flame Cyber Attack: Israel Behind Largest Cyber Spy Weapon Ever? - ABC News

A top Israeli official hinted today that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and has spied on computer systems throughout the Middle East, including those in Iran, for the past two years. "Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them," Israel's vice prime minister Moshe Yaalon told Israel's Army Radio today, referring to the cyber attack. "Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us."

Makes sense. The US and Israel WERE after all, behind StuxNet.

 

[Jroc]

Flame Cyber Attack: Israel Behind Largest Cyber Spy Weapon Ever? - ABC News

A top Israeli official hinted today that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and has spied on computer systems throughout the Middle East, including those in Iran, for the past two years. "Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them," Israel's vice prime minister Moshe Yaalon told Israel's Army Radio today, referring to the cyber attack. "Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us."

Makes sense. The US and Israel WERE after all, behind StuxNet.

 

[waltky]

UN warns of cyberwar...

Flame: UN urges co-operation to prevent global cyberwar
7 June 2012 > Dr Hamadoun Toure said the UN was working closely with developing countries' cyber-defences

The UN has urged countries to seek a "peaceful resolution" in cyberspace to avoid the threat of global cyberwar. The comments by the head of the UN's telecommunications agency came a week after Flame, one of the most complex cyber-attacks to date, was uncovered. Dr Hamadoun Toure told the BBC that he did not suspect the US of being behind the attack. He added that developing countries were being helped to defend themselves more adequately against threats. Giving his first public interview about the attack, Dr Toure said the UN's International Telecommunications Union (ITU), which co-ordinates the sharing of communication infrastructure across the world, had been following the threat since May.

He said he did not consider Flame to be an act of cyberwar. "It hasn't reached that level yet as it has been detected in time," he added. When asked about the attack's possible source, he said: "All indications are that Flame has been created by a nation state, that's clear. "The ITU is not mandated to make a judgement on who is responsible. Our role is to work with partners to promote better co-operation." However, Dr Toure said he had discussed the matter directly with some countries, but added: "I don't suspect that the US is behind it." He said media reports suggesting US involvement in Stuxnet, a previous major attack, were "speculation".

'Weak link'

He told the BBC that it was important for UN member states to work closely to defend themselves against the emerging cyberthreat. "There is a risk of cyberwar - but it's not necessary. That's what we're trying to do: prevent. We're saying the best way to win a war is to avoid it in the first place." "As the UN, of course we are interested in making sure there is a peaceful resolution, and a peaceful approach to this. "Our role is first to co-ordinate international efforts - not only sharing knowledge, but also training people, especially from developing countries because we want to avoid one country being a weak link in the whole process. "Therefore, we're trying to see that there's a global effort to keep cyberspace free of politics, ideology and especially free of criminals."

He acknowledged that governments face a challenge in ensuring the safety of their citizens while preserving their freedom online - something Dr Toure said he considered a "basic right". He added: "There is a fine line between security and freedom. "Some people try to oppose them. We say no, we want both. You can't be free if you're not secure. You can't have privacy without security - that's why we want to have both." Efforts to establish the source and full extent of the Flame attack are ongoing. Kaspersky Labs, one of the companies which first revealed the malware, said this week that the attack sought mainly to steal technical documents from Iran.

BBC News - Flame: UN urges co-operation to prevent global cyberwar

See also:

Risks of boomerangs a reality in world of cyberwar
Sat, Jun 2, 2012 WASHINGTON (AP) — The Obama administration is warning American businesses about an unusually potent computer virus that infected Iran's oil industry even as suspicions persist that the United States is responsible for secretly creating and unleashing cyberweapons against foreign countries.

The government's dual roles of alerting U.S. companies about these threats and producing powerful software weapons and eavesdropping tools underscore the risks of an unintended, online boomerang. Unlike a bullet or missile fired at an enemy, a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. It's one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them.

The Homeland Security Department's warning about the new virus, known as "Flame," assured U.S. companies that no infections had been discovered so far inside the U.S. It described Flame as an espionage tool that was sophisticated in design, using encryption and other techniques to help break into computers and move through corporate or private networks. The virus can eavesdrop on data traffic, take screenshots and record audio and keystrokes. The department said the origin is a mystery. The White House has declined to discuss the virus.

But suspicions about the U.S. government's role in the use of cyberweapons were heightened by a report in Friday's New York Times. Based on anonymous sources, it said President Barack Obama secretly had ordered the use of another sophisticated cyberweapon, known as Stuxnet, to attack the computer systems that run Iran's main nuclear enrichment facilities. The order was an extension of a sabotage program that the Times said began during the Bush administration.

Private security researchers long have suspected that the U.S. and Israeli governments were responsible for Stuxnet. But the newspaper's detailed description of conversations in the Oval Office among Obama, the vice president and the CIA director about the U.S. government's responsibility for Stuxnet is the most direct evidence of this to date. U.S. officials rarely discuss the use of cyberweapons outside of classified settings.

MORE

 

[percysunshine]

Shouldn't this be on the Flame thread?

 

[waltky]

Flame gets flamed-out...

Flame malware makers send 'suicide' code
8 June 2012 - The malware is said to have infected more than 600 specific targets

The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers. Security firm Symantec caught the command using booby-trapped computers set up to watch Flame's actions. Flame came to light after the UN's telecoms body asked for help with identifying a virus found stealing data from many PCs in the Middle East. New analysis of Flame reveals how sophisticated the program is and gives hints about who created it.

Clean machine

Like many other security firms Symantec has kept an eye on Flame using so-called "honeypot" computers that report what happens when they are infected with a malicious program. Described as a very sophisticated cyber-attack, Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data. Earlier this week Symantec noticed that some Flame command and control (C&C) computers sent an urgent command to the infected PCs they were overseeing.

Flame's creators do not have access to all their C&C computers as security firms have won control of some of them. The "suicide" command was "designed to completely remove Flame from the compromised computer", said Symantec. The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination. "It tries to leave no traces of the infection behind," wrote the firm on its blog. Analysis of the clean-up routine suggested it was written in early May, said Symantec.

Crypto crash

At the same time, analysis of the inner workings of Flame reveal just how sophisticated it is. According to cryptographic experts, Flame is the first malicious program to use an obscure cryptographic technique known as "prefix collision attack". This allowed the virus to fake digital credentials that had helped it to spread. The exact method of carrying out such an attack was only demonstrated in 2008 and the creators of Flame came up with their own variant. "The design of this new variant required world-class cryptanalysis," said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.

The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals because of the amount of time, effort and resources that must have been put into its creation. It is not yet clear which nation created the program.

BBC News - Flame malware makers send 'suicide' code