Flame Spyware

An article by paradise    Comments Off on Flame Spyware

“A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyber-espionage operation.” (Wired Article)

Sounds scary doesn’t it? This massive spyware was discovered recently by Kaspersky, and is believed to have been around for at least two years without discovery. Kaspersky Lab is calling it “one of the most complex threats ever discovered.” Cyber-warfare has taken another step, and it is one we might not like very much. The more and more we find out about it, the more and more scary it becomes.

First, this is not your average virus. It hides itself very well, it is huge (20MB+), and it can be increased or decreased in size/abilities as well. Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots (about every 15-30 seconds) of activity on the machine, such as instant-messaging and e-mail communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

It is loaded as a smaller 6 MB file, and then unpacks itself and decrypts the code inside. Once the modules are unpacked and loaded, the malware connects to one of about 80 command-and-control domains to deliver information about the infected machine to the attackers and await further instruction from them. The malware contains a hardcoded list of about five domains, but also has an updatable list, to which the attackers can add new domains if these others have been taken down or abandoned.

The file does not spread automatically, it must be told to do so by the command and control server. It is believed to do this so it could run for a longer time without being found, not spreading all over the place and making a big “splash”. Kaspersky estimates that Flame has infected about 1,000 machines. The researchers arrived at this figure by calculating the number of its own customers who have been infected and extrapolating that to estimate the number of infected machines belonging to customers of other antivirus firms.

So why does this affect us if it is strictly overseas (Middle East, Iran specifically)? That means the software is out there, it is now in other peoples’ hands, and no matter how secure we assume the encryption is it can still be learned from. Instead of just keystrokes being recorded, now it is audio and possibly video. Phones can be connected to, information can be taken from just about anywhere. Privacy and security are becoming more and more important, and yet they are becoming more and more at risk.

Finding out how to defend ourselves from the cyber attacks (not just protecting the government, but us personally) is a very important thing for IT Security specialists to focus on. The more we are at risk, the more we must focus on defense, not just offense. Hopefully security specialists will begin to be appreciated, and will therefore be rewarded for their work on a comparable level to other IT specialists.