Researchers Identify Stuxnet-like Cyberespionage Malware Called ‘Flame’
By Lucian Constantin
PCWorldMay 28, 2012 11:50 am PDT
A new, highly sophisticated malware threat that was predominantly used in cyber espionage attacks against targets in the Middle East has been identified and analyzed by researchers from several security companies and organizations.
According to the Iranian Computer Emergency Response Team (MAHER), the new piece of malware is called Flamer and might be responsible for recent data loss incidents in Iran. There are also reasons to believe that the malware is related to the Stuxnet and Duqu cyberespionage threats, the organization said on Monday.
Malware researchers from antivirus firm Kaspersky Lab have also analyzed the malware and found that while it is similar to Stuxnet and Duqu in terms of the geographic propagation and targeting, it has different features and it is, in many ways, more complex than both of those threats.
Flame, as the Kaspersky researchers call it, is a very large attack toolkit with many individual modules. It can perform a variety of malicious actions, most of which are related to data theft and cyber espionage.
Among other things, it can use a computer’s microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.
Spreading Slowly, Quietly
One of the toolkit’s first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.
Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.
Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that’s highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn’t seen any malware samples before Flame that were written in the language, Kamluk said.
Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.
The Kaspersky researchers haven’t found any evidence of an unknown (0-day) vulnerability being exploited by this malware, but Flame is known to have infected a fully patched Windows 7 computer, so they don’t completely exclude the possibility, Kamluk said.
When infecting computers that are protected by antivirus programs, Flame avoids performing certain actions or executing malicious code that might trigger a proactive detection from those security applications. This is one of the reasons that the malware flew under the radar for so long, Kamluk said.
By checking the data from its worldwide network of malware sensors, Kaspersky Lab has managed to identify current and past Flame infections in the Middle East and Africa, predominantly in countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
However, antivirus vendor Symantec also identified past infections in Hungary, Austria, Russia, Hong Kong and the United Arab Emirates. The company doesn’t dismiss the possibility that these infection reports originated from laptops that were temporarily taken abroad by travellers.
It’s hard to tell what type of information the Flame authors are after, giving the wide variety of data that the malware can steal and send back to the command and control servers. A decision regarding which of the malware’s modules and functionality to use is probably taken by the attackers for each particular target on a case-by-case basis, Kamluk said.
The targeted organizations don’t seem to follow an industry-specific pattern, either. The malware has infected computers belonging to government agencies, educational institutions and commercial companies as well as computers owned by private individuals.
As with Duqu and Stuxnet, it’s not clear who created Flame. However the malware’s complexity and the amount of resources required to build something like it has led security researchers to believe that it was created or sponsored by a nation state.
Kaspersky’s researchers didn’t find any evidence that could tie the malware to a specific country or even region. However, there is some text written in English inside the code, Kamluk said.
“Examination of the code also leads Symantec to believe the malware was developed by a natively English speaking set of developers,” a Symantec spokesman said via email. “No further observations have been made which could assist in locating the origin of the malware.”
Researchers from the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics, which played an important role in the discovery and analysis of Duqu, have also released a report on the Flame malware, which they call “sKyWIper.”
“The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” the CrySyS researchers said in their report. “sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”