Focus on Flame, the most sophisticated cyber weapon ever seen
The Flame (also known as sKyWIper and Flamer) is considered to be more complex than Stuxnet, and it “might be the most sophisticated cyber weapon yet unleashed”.
Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran).
- Stuxnet worm Origins
- Public-private cooperation in cyber-security
- Industry thought leaders share cybersecurity insights for 2012
- Improving global cyber governance
- Controlling the internet
- 2011 AFCEA Homeland Security Conference
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.
“It one of the most advanced and complete attack-toolkits ever discovered,” states International Telecommunication Union (ITU). “The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.”
It is now clear that the Flame malware is largely used as a cyber espionage tool.
Preliminary findings indicate that this malware has been ‘in the wild’ for more than two years – since March 2010, but CrySyS Lab said it has potentially been running for five years or more, as one of its drivers was spotted on 5 December 2007.
Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system.
How it works?
“First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed about 20 times the size of Stuxnet. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine,” Kaspersky Lab’s Alexander Gostev explained.
It’s primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created.
Flame has worm capabilities, as it is able to replicate on both local networks and on removable devices, if it is commanded to do so. It can also look at network traffic, take screenshots when “interesting” applications like instant messaging apps are running, record audio conversations from an infected PC’s microphone and do some keylogging. Further functionality can be added via plug-ins whenever the attackers want.
One of the most idiosyncratic things about Flame is the inclusion of a virtual machine written in LUA. This language can interact easily with C++, which is what much of Flame is written in. “Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame,” Gostev said.
It even has Bluetooth capabilities, as it is able to pick up on signals as well as turn the infected system’s Bluetooth on.