HEAT Security Blog

UPDATE: Flame Malware Has Evaded AV for 5 to 8 Years

June 4, 2012 UPDATE: Today, Microsoft issued Security Advisory 2718704 for attacks using unauthorized certificates from a Microsoft Certificate Authority. “This issue affects all supported releases of Microsoft Windows,” Microsoft said. Some techniques used in Flame could also be leveraged for less sophisticated, wide spread attacks. Read their blog.

If you think antivirus has you covered, think again. New research shows malware targeting the Middle East, Flame, or Flamer, has successfully evaded AV detection for 5 to 8 years. Thought to be the next generation of state sponsored malware following Stuxnet and DuQu, this new malware is 20 times larger and seems to be for intelligence gathering. Most of the infected machines found to-date are in Iran.

Figure 1: Source http://www.securelist.com/en/blog?weblogid=208193522
Figure 1: Source http://www.securelist.com/en/blog?weblogid=208193522

While Stuxnet utilized uncontrolled self-replication, DuQu introduced control over replication, which also seems to be a trait of Flamer. The infection vectors include two USB vectors along with the MS10-061 printer vulnerability and the ability to infect other users when an infected administrative user logs in to a domain.

Figure: 2 Source http://www.securelist.com/en/blog?weblogid=208193522
Figure: 2 Source http://www.securelist.com/en/blog?weblogid=208193522

Some of the more powerful intelligence gathering features of Flamer include:

  • Recording of audio from internal microphone
  • Bluetooth capabilities
  • Screen capture
  • SSL & SSH encrypted communications

A recent article on Flamer in Wired Magazine described the malware as follows:

“Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.”

It is believed that the malware is also known as SkYWiper by the Hungarian researchers at the Laboratory of Cryptography and System Security (CrySyS Lab.). They have released a comprehensive report on the malware that can be found here. The CrySyS Lab research briefing provides a deep look at the inner-working of the malware and includes an interesting comparison between Sutunet / DuQu and SkYWiper (Flamer).

Comparing skyWiper to duqu and Stuxnet at first glance
Figure 3: Source: http://www.crysys.hu/skywiper/skywiper.pdf

How Powerful is Flamer?

It depends on what you compare it to. When assessing Flamer, consideration should be given to legacy malware such as what was available over a decade ago like Netbus, Sub7 and the popular (in its time) Windows malware from Cult of The Dead Cow “Back Orifice” that clearly was more powerful than Flamer. Here are just some of the features of Back Orifice:

  • System control
  • Create dialog boxes with the text of your choice. Log keystrokes. Lockup or reboot the machine.
  • Get detailed system information, including:
    • current user
    • cpu type
    • windows version
    • memory usage
    • mounted disks (including hard drives, cdroms, removable drives and remote network drives) and information for those drives
    • screensaver password
    • passwords cached by the user (including those for dialups, web and network access, and any other password cached by the operating system)
  • File system control
    • Copy, rename, delete, view, and search files and directories. File compression and decompression.
  • Process control
    • List, kill, and spawn processes.
  • Registry control
    • List, create, delete and set keys and values in the registry.
  • Network control
    • View all accessible network resources, all incoming and outgoing connections, list, create and delete network connections, list all exported resources and their passwords, create and delete exports.
  • Multimedia control
    • Play wav files, capture screen shots, and capture video or still frames from any video input device (like a Quickcam).
  • Packet redirection
    • Redirect any incoming TCP or UDP port to any other address & port.
  • Application redirection
  • Spawn most consoled applications (such as command.com) on any TCP port, allowing control of applications via a telnet sessionSpawn most consoled applications (such as command.com) on any TCP port, allowing control of applications via a telnet session
  • Integrated packet sniffer
    • Monitor network packets, logging any plain text passwords that pass
  • Plugin interface
    • Write your own plugins and execute the native code of your choice in BO’s hidden system process

Regardless of specifically “who” the State is behind Flamer, clearly Pandora’s box has been opened. More is sure to come both in terms of additional intelligence gathering malware and, at some point, malware bent solely on retaliation.

8 thoughts on “UPDATE: Flame Malware Has Evaded AV for 5 to 8 Years

  1. Just a question. How can this be the “next generation of state sponsored malware following Stuxnet and DuQu” if its been evading AV for the last 5 to 8 years? Seems more a like a precursor to those to me…

Comments are closed.