Skip to content

Call it Flame, Flamer or Skywiper … it’s a new cyber weapon

by paganinip on May 28th, 2012
flaming

The day is come, The Iranian Computer Emergency Response Team (MAHER) announced to have discovered a new targeted malware which has hit the country, that has been named Flame (also known as Flamer or Skywiper due the name of  its main modules).

In an official statement the Iranian experts declared that following the intensive researches on the malware Stuxnet and Duqu since 2010 they have detected a new agent responsible of a new wave of attacks. The malware has been named “Flamer” due one of the attack modules code isolated and decrypted.

What is really interesting is the capability of the malware to dynamically change its behavior thanks the possibility to receive and install different modules projected for specific goals. Another interesting feature is that the malware is actually able to be undetectable by all the 43 tested anti viruse software.

The Maher center has developed a specific detector delivered only to selected organizations and companies in first days of May, and it’s working on the realizzation of a removal tool that will be soon delivered.

Following some feature of the malware listed in the announced of the center:

  1. Distribution via removable medias
  2. Distribution through local networks
  3. Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  4. Scanning the disk of infected system looking for specific extensions and contents
  5. Creating series of user’s screen captures when some specific processes or windows are active
  6. Using the infected system’s attached microphone to record the environment sounds
  7. Transferring saved data to control servers
  8. Using more than 10 domains as C&C servers
  9. Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  10. Bypassing tens of known antiviruses, anti malware and other security software
  11. Capable of infecting Windows Xp, Vista and 7 operating systems
  12. Infecting large scale local networks

The specialists of the center are sure that the malware is a new cyber weapondue its complexity level and propagation methods, they don’t exclude that recent mass data loss in Iran could be related to the attack of the malware.  The malware seems target mainly windows platform running Windows XP, Vista and Windows 7 and the isolated istances of the agents are capable of password and data stealing, sniffing network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on.  All the collected data could be sent to the to Flame’s command-and-control servers. Curious the usage of Bluetooth protocol, once the victim has the functionality turned on, Flame is able to collect information about discoverable devices nearby.

It’s not yet clear with is the entry point for Flame malware, the principal suspects address the exploit of a Microsoft vunerability.

According Kaspersky lab experts the malware has hit mainly the Middle East area and it is considered a very sophisticated cyber weapon with main purpose of cyber espionage. The team has defined Flame as a sophisticated attack toolkit which condenses the characteristics of a backdoor, a Trojan, and a worm. It’s able to spread itself within a local network and on removable media.

They have defined the malware as the most complex threats ever discovered. Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

 

The malware seems to be active since 2010, same period of Stuxnet, but analyzing its complexity the expert believe that is the result of a parallel intelligence project. Today several C&C servers exist around the world, about a dozen different C&C domains, run on several different servers.

Another feature of the malware is the size of its package, almost 20 MB including many different libraries and a LUA virtual machine. LUA is a cross-platform scripting language with “extensible semantics”. Many mosules of Flame have been written using the scripting language and interfacing it with subroutines and libraries compiled from C++, the use of LUAlanguage is very uncommon such as the large size of the toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.

The experts that have analyzed the malware noted an internal use of local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more, making the attack very significant.

Who has developed the malware?

Flame is really different form Stuxnet and Duqu, they are results of separated projects that have had the same target.

Assuming this is a cyber weapon we have the following scenarios:

  • Two separate development groups sponsored by hostile governments have decided to adopt a cyber military option.
  • The same government or coalition of states has decided to unleash a powerful attack against Iran’s nuclear program, attacking on several fronts the country using Stuxnet as a powerful distraction to keep hidden over time agents such as Duqu and the new Flame.

Why do believe that Flame is a cyber weapon?

Because cybercrime and hacktivism make a different usage of malware and because it has been used for targeted attacks in a confined geographic area.

The cyber war is begun

Pierluigi Paganini