Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Full Paper - WordPress.com

advertisement 
FLAME THE SWISS ARMY KNIFE OF ESPIONAGE
Sean Harrison (A00162845)
1. INTRODUCTION
Flame is a sophisticated malware system that shares similarities with Stuxnet, although
Flame is much more extensive in terms of complexity and size, at 20MB or larger when all
modules have been installed against Stuxnet's 500KB. Also known as Skywiper or Flamer,
Flame was discovered by Kaspersky Lab in 2012 following a significant increase in infected
systems in Iran and other countries in the Middle East and North Africa over the past two
years.
After infecting a pc or device, Flame spies on the machine's activity and steals data from it
with keystroke monitoring and packet sniffing functionality as well as backdoor capabilities
that allow cyber attackers to update the malware and trigger it or erase it as desired. The
Flame malware features numerous levels of encryption as well as more than 20 different
modules and plug-ins that can be swapped in and out for added functionality. One
distinguishing characteristic of Flame is that part of its code has been written in LUA, a
programming language frequently used for developing video games rather than malware.
[1]
Additional unique characteristics of Flame include scanning for Bluetooth enabled devices in
order to steal data and infect the devices with Flame malware, the ability to turn on a
computer's internal microphone in order to secretly log conversations and code for taking
frequent screenshots of activity such as email and instant messaging and secretly uploading
the screenshots to command and control servers.
As with Stuxnet, experts believe that Flame is so complex and well coordinated that it likely
was created and conducted with nation state support rather than by typical cyber criminals,
although no countries have taken responsibility for the malware to date.
1|P a g e
The above diagram highlights the origin of Flames name. [2]
2. BREACHES
The below diagram show the number of confirmed attacks per country which took place in
the Middle East and North Africa. [1]
2.1. TIMELINE
 February 2010 - Estimated start of Flame operations.
 April 2012 - Flame suspected of attack that caused Iranian officials to disconnect its
oil terminals from the internet.
 May 2012 - Flame uncovered by Iran's CERT, Kaspersky Lab and CrySys Lab of
Budapest University.
 28 May 2012 - Iran's CERT releases Flame detection and removal tool.
 08 June 2012 - Some command and control servers sent suicide command to
infected PCs to remove all traces of Flame.
2.2. WHAT DOES FLAME DO ?
Flame collects many kinds and formats of information from a victim’s computer. It can:





Collect basic information about the infected system and local network.
Record network connections.
Search for and steal files based on name patterns.
Record audio (Skype).
Take screenshots and record keystroke.
2|P a g e


Grab clipboard contents.
Scan for locally available Bluetooth devices.
2.3. DEPLOYMENT
Flame has two modules designed for infecting USB drives, called Autorun Infector and
Euphoria. These two modules have not been seen in action, maybe due to the fact that
Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect
USB drives exists in the code, and it’s using two methods:
i.
ii.
Autorun Infector: the Autorun.inf method from early Stuxnet, using the shell32.dll
trick. What is interesting here is that this specific method was used only in Stuxnet
and was not found in any other malware since.
Euphoria: spread on media using a junction point directory that contains malware
modules and an LNK file that trigger the infection when this directory is opened.
Expert's investigating found their samples contained the names of the files but did
not contain the LNK itself.
In addition to these, Flame has the ability to replicate through local networks. It does so
using the following:
i.
ii.
iii.
The printer vulnerability MS10-061 exploited by Stuxnet using a special MOF file,
executed on the attacked system using Windows Management Instruments.
Remote jobs tasks.
When Flame is executed by a user who has administrative rights to the domain
controller, it is also able to attack other machines in the network: it creates backdoor
user accounts with a pre-defined password that is then used to copy itself to these
machines.
2.3. DATA COLLECTION
What is of particular importance here is that Flame won’t store leaked documents until it is
sure that that specific USB drive had been plugged into a system with internet access or to
be more precise a system that succeeded in contacting the control and command servers. It
knows that for sure from its database, since everything is logged. Why it behaves like this,
one might wonder. Because this is how it ensures that it has the best chances to contact
home and send leaked data to the attacker.
When the USB drive is plugged into the computer with internet access, Flame decides to
query the database from the USB drive and take all the stolen documents, if there is any.
Then it makes room on the memory stick by cleaning up the database of all the material
that were successfully grabbed. Later the data will be sent over HTTPS in a compressed
form.
3|P a g e
Another important piece is the fact that we assumed that both devices are infected with
Flame. This is not necessary a required because Flame can use its worm abilities against the
targeted system, in order to infect a device with internet access when the USB drive is
plugged into it. However, it appears that this worm ability is inactive. This is somehow
obvious because Flame has to control the spreading mechanism for this espionage
machinery and ensure that it remains hidden. Given the complexity of this threat, an
attacker would not want to lose control of the situation.
So, how is the USB drive carried between the two systems. Here is where the human factor
kicks in, so it’s impressive how two instances of Flame communicate with one another using
a USB drive and a human as a channel. A secret private channel is created between two
machines and the person carrying the USB drive has no idea that they are actually
contributing to the data leak. This operation could also be achieved by a man inside a spy
who intentionally carries the drive from the restricted network that is being spied on to a
system with internet access.
The above diagram shows Flames methods of infection.
4|P a g e
3. EFFECTS OF BREACH
3.1. CYBER-WARFARE TO CONVENTIONAL WARFARE
Flame is another step in the discovery of cyber threats that have probably been developed
with the support of a nation state. Investigating and reacting to Flame is an important step
in understanding the nature of possible cyber warfare.
Cyber warfare refers to politically motivated sabotage, espionage and crippling of important
infrastructure through dedicated cyber-attacks. Because of growing dependence upon
electronic devices in the modern world, as well as the interconnection of many systems the
disruption of computers and networks can cripple critical infrastructure. In the worst case,
this could lead to turmoil at a local, regional and even international level, causing significant
damage to economies and peoples safety. Potentially financial systems, power grids,
telecommunications, transport and other types of infrastructure are all highly vulnerable to
this type of threat. Importantly cyber warfare could also trigger conventional warfare,
considering that a number of states have already stated that cyber attacks would be seen as
an act of war requiring retaliation with conventional warfare.
3.2. ANTI-VIRUS INDUSTRY CRITICISM
The security software industry has a dirty little secret: its products are often not very good
at stopping viruses and malware. Consumers and businesses spend billions of dollars every
year on antivirus software. But these antivirus programs rarely if ever, block freshly created
computer threats, experts say because the virus/malware creators move too quickly.
The truth is consumer-grade antivirus products can’t protect against targeted malware
created by well resourced nation states with bulging budgets. They can protect you against
typical malware: keystroke loggers, banking trojans and e-mail worms. But targeted attacks
like these go to huge difficulty to avoid antivirus solutions on purpose. And the zero day
exploits used in these attacks are unknown to software security companies by definition. As
far as can be told, before releasing their malicious codes to attack victims, the attackers
tested them against all of the relevant antivirus solutions on the market to make sure that
the malware wouldn’t be detected. They have unlimited time to hone their attacks. It’s not
a fair conflict between the attackers and the defenders when the attackers have access to
the defenders weapons.
Flame was a failure for the whole security software industry.
5|P a g e
4. MISTAKES MADE
4.1 DIGITALLY SIGNED MALWARE
The developers of Flame were able to create fraudulent Microsoft digital certificates due to
Microsoft’s use of the weak MD5 algorithm (proven breakable in 2005). These fraudulent
certificates were used as part of HTTP man-in-the-middle attacks to distribute and install the
Flame malware rapidly as a bona fide Microsoft update by masquerading as the Windows
Update service.
The above diagram shows the offending Microsoft certificate. [7]
Sequence of events:
i.
ii.
Microsoft certificate
 Microsoft certificates based on MD5 hash algorithms were targeted
 Certificate was remanufactured (using the cracked MD5 algorithm) which
made it look like a genuine certificate
 Hackers set up a man in the middle attack to get between Microsoft and the
targeted machines
 The targeted machines thought they were dealing directly with Microsoft
Licensing and update services were attacked and compromised
6|P a g e
iii.
iv.
 Microsoft licensing
 Windows update
Code signing
 Code was signed using fake certificate
 Windows allowed the malware to run and install
Flame Malware
 Stole small parts of files
 Sent to over 80 different DNS (URLs)
 If content looked valuable malware instructed to get more
In response to Flame, Microsoft issued an emergency patch that explicitly identified the
fraudulent certificates as Untrusted Publishers within Windows. This patch, once
implemented, should protect organizations from the specific Microsoft MD5 vulnerability
that was exploited by the Flame developers. MD5-based certificates were the open door, or
attack vector, that allowed Flame to work. Microsoft closed their door by rendering the
Microsoft specific MD5 certificates invalid.
5. RECOMMENDATIONS
I.
II.
III.
IV.
V.
VI.
Keep antivirus definitions up to date, as well as operating systems and third-party
software (Java, Flash).
Minimize network exposure for all control system devices. Control system devices
should not directly face the Internet.
Locate control system networks and remote devices behind firewalls, and isolate
them from the business network.
When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
Using a modern operating system, preferably in a 64-bit version that is more resilient
to malware attacks.
Practice safe computing — be careful opening attachments from unknown sources;
do not publish private information on social networks, and use strong passwords.
7|P a g e
REFERENCES
[1] Flame malware – more details of targeted cyber-attack in Middle East | Naked Security. 2013. [ONLINE]
Available at: http://nakedsecurity.sophos.com/2012/05/28/flame-malware-cyber-attack/.
[2] The Flame: Questions and Answers - Securelist. 2013 [ONLINE]
http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers.
Available
at:
[3] Flame: Bunny, Frog, Munch and BeetleJuice… - Securelist 2013 [ONLINE] Available at:
http://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice.
[4] The Advanced Features of the Flame Malware | Fortinet Security Blog. [ONLINE] Available at:
http://blog.fortinet.com/the-advanced-features-of-the-flame-malware/.
[5] FLAME – The Story of Leaked Data Carried by Human Vector | Bitdefender Labs. 2013. [ONLINE] Available
at: http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/.
[6]
OpenDNS
Unique
insight
into
Flame
malware
http://blog.opendns.com/2012/06/01/unique-insight-into-flame-malware/.
[ONLINE]
[7]
The
Illusion
of
Trust
–
Digitally
Signed
Malware
[ONLINE]
http://www.criticalstart.com/2012/06/the-illusion-of-trust-digitally-signed-malware/.
8|P a g e
Available
Available
at:
at:
Related documents
Atomic Absorption and Emission Flame Tests
Atomic Absorption and Emission Flame Tests
A Comparison Analysis of Sivashinsky`s Type Evolution Equations
A Comparison Analysis of Sivashinsky`s Type Evolution Equations
Technicolor Atoms
Technicolor Atoms
Pre-activity questions
Pre-activity questions
Fire Behavior Speech - Least Random Number
Fire Behavior Speech - Least Random Number
Collective memory
Collective memory
Designing a fair test Which flame of the Bunsen burner is hotter?
Designing a fair test Which flame of the Bunsen burner is hotter?
File
File
Download
advertisement