Behind the 'Flame' malware spying on Mideast computers (FAQ)
The Flame worm that has targeted computers in the Middle East is being called "the most sophisticated cyberweapon yet unleashed" by Kaspersky Lab researchers who discovered it. Lurking on computers for at least five years, the malware has the ability to steal data, eavesdrop on conversations, and take screen captures of instant message exchanges, making it dangerous to any victim. But a possible link to malware found on computers in Iran's oil sector has experts saying it's got to be the work of a nation-state.
CNET talked with Roel Schouwenberg, senior researcher at Kaspersky, the company that uncovered the malware, to find out who is behind it and how dangerous it really is.
What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting.
The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee's technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as "sKyWIper."
"Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit," Schouwenberg said. "We assume that we don't have all the modules that exist in the wild."
How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It's unclear what the initial point of entry is. "We expect to find a spear phishing e-mail with a Zero-Day exploit," Schouwenberg said.
Since we first published this FAQ, Microsoft has revealed that Flame gained a foothold by spoofing one of the company's own security certificates. Specifically, the virus tapped into rogue certificates for Microsoft's Terminal Server that appeared to be signed by the company and were therefore seen as legitimate. Microsoft has released security advisory describing the steps it's taking to remove the risk, including the issuance of a Windows patch to fix the security hole.
How long has Flame been around?
"We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that," Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National's International Telecommunication Union for help in uncovering malware dubbed "Wiper" that was stealing and deleting sensitive information on computers in Iran's oil sector.
How does Flame relate to Wiper?
"Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental," Schouwenberg said. "So, we have an open mind to Wiper being a Flame plug-in." Iran's National Computer Emergency Response Team (CERT), which is called "Maher," said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran "could be the outcome of some installed module of this threat," the center said, speculating that attacks in which data from Iran's gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.
Why wasn't Flame discovered earlier? Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. "Clearly it's another multimillion-dollar project with government funding, so one of the top priorities has been stealth," Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn't look malicious at first glance. "Flame authors have adopted the concept of hiding in plain sight," he said. Because Flame doesn't use a rootkit technology, free anti-rootkit tools won't be able to detect it. "Finding it is going to be more complicated," according to Schouwenberg.
Who created the malware?It's unclear who wrote and distributed the malware, but Schouwenberg said researchers believe it was a nation-state or someone hired by a nation-state because of the advanced nature of the threat. Just because the code is in English does not mean that an English-speaking country is behind it, he said when asked if he thought the U.S. and/or Israel are behind this malware as is believed with Stuxnet. Meanwhile, liberal Jewish blog Tikun Olam
cites an unidentified "senior Israeli source"as confirming that Israeli cyber warfare experts created Flame to "infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel's secret police including military intelligence."
Is it related to Stuxnet and Duqu? Flame shares some characteristics with two previous types of malware that targeted critical infrastructure systems and which used the same technology platform: Stuxnet and Duqu. Schouwenberg thinks the same entities are behind Flame. For instance, Flame and Stuxnet both spread via USB drive using the "Autorun" method and a .LNK file that triggers an infection when a directory is opened. Flame also can replicate through local networks using a Windows-based shared printer vulnerability that was exploited by Stuxnet as well. Kaspersky hasn't uncovered Flame using any previously unknown vulnerabilities, called "Zero-Days," but since Flame has infected fully patched Windows 7 systems through the network, there may be a high-risk Zero-Day being exploited. "We are operating under the assumption right now that basically Flame and Stuxnet were two parallel projects commissioned by the same nation-sate or states. The Stuxnet platform was created by one team or company and Flame by another tea m or company, and both teams had access to this common set of exploits," he said. Flame is 20 times larger than Stuxnet, which was previously believed to be the most sophisticated piece of malware ever.
How serious is this?
Kaspersky researchers believe there is much more to Flame than they know now. "We operate on the assumption there are other modules we don't know about, which could elevate Flame from cyber espionage to cybersabotage," Schouwenberg said. "Given the conservative method of spreading, we assume that the vast majority of infections we are seeing are intended targets ... The amount of manpower required to maintain this operation is very significant. Flame uses more than 80 C&C (Command and Control) servers, which we haven't seen before. This shows the amount of resources committed to this project."
Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by "Israel/Palestine," Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in "the Palestinian West Bank, Hungary, Iran and Lebanon." "With Flame, we haven't been able to say what binds all the targets together other than that they are in the same geographical region," Schouwenberg said. "We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don't know what type of data has been stolen." Victims include educational institutions, state-related organizations and individuals.
How widespread is Flame?
So far there are only estimates as to how widespread Flame infections are. Kaspersky researchers have seen between 300 and 400 infections on customer computers reporting back to them, but researchers speculate there could be more than 1,000 infected computers worldwide. Most of the infections are in Iran and other countries in the Middle East. There are a few in the U.S., and Schouwenberg said those could be due to someone in the Middle East using a virtual private network based in the U.S. to circumvent Internet filters in that country as opposed to genuine infections on U.S.-based computers. "We're looking into sinkholing (taking control of) some of the Command and Control servers and getting data from there to have a more accurate reflection of infections," Schouwenberg said.
Does it affect me?
Most of the major antivirus software now detects Flame, so updating your security software will protect you. Kaspersky also has offered tips for manually removing the malware. The software is not designed to steal financial data and does not seem targeted at consumers, so chances are your computer is safe.
What does this all mean?
While Flame represents another sophisticated cyber espionage attack, it's not exactly a harbinger of cyberwar. Countries have been conducting cyber espionage for years, but it wasn't until Stuxnet, with its links to the U.S. and Israel, that a Western country was fingered by researchers. Stuxnet is believed to have been designed to sabotage Iran's nuclear program after diplomatic and other efforts had failed. That said, Flame does show that sophisticated attacks on critical infrastructure are happening, and succeeding. "The good news is that like Stuxnet, Flame appears to be highly targeted," Eric Byres, chief technology officer and co-founder of Tofino Industrial Security, writes in a blog post. "But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware."
"You could call it military-grade malware, which is obviously a class above (other malware) and generally these are covert operations so remaining stealth is top-most priority," Schouwenberg said. "In the end, it was anti-malware that found this type of attack."
Editors' note: This FAQ was originally published May 30 at 2:40 p.m. PT. It has been updated since then with additional information, including on May 30 the Tikun Olam report of a source saying that Israel is behind Flame, and on June 4 with with details on Microsoft's security advisory to address the spread of Flame through rogue Microsoft security certificates.
Source
Tags:
Blog Archive
-
▼
2023
(215)
-
▼
January
(100)
- Mom Crochets Adorable E.T. Costume, Turns Son Into...
- An $80 Multipurpose Air Fryer Oven That Does It Al...
- HP Chromebook X2 Review: Gives Surface Pro, Pixel ...
- The Best Roomba Alternatives To Keep Your Floors C...
- Samsung Galaxy Watch 5 And 5 Pro: How Do They Comp...
- The Best Amazon Cyber Monday Deals You Can Get Rig...
- Motorola Moto Z Play Review: A Battery Beast
- Take Up To $250 Off Unlocked Galaxy S22 Plus Smart...
- 2022 Kia Carnival First Drive Review: A Luxurious ...
- Philips Airfryer Avance Collection Review: The Air...
- Tesla Revives Enhanced Autopilot For $6,000
- Brock Lesnar Just Made Wrestling Real In The Most ...
- Dell XPS 13 (winter 2013) Review: Still Can't Touc...
- EV Tax Credits: Manchin A No On Build Back Better ...
- 5 Predictions For Bitcoin, NFTs And The Future Of ...
- Dolly Parton's New 'Doggy Parton' Pet Products Inc...
- TikTok Is Reportedly Testing 5-minute Videos
- Facebook Hits Pause On Instagram Kids As Concern M...
- Nvidia In Advanced Talks To Buy Chipmaker Arm, Say...
- Ouya Teams With Xiaomi To Bring Video Games To China
- OLED Laptop Screens Are Worth It -- For Some
- IPhone 14 Is Trending Before The IPhone 13 Has Eve...
- Order Your Favorite TikTok Recipes From TikTok Kit...
- Save $47 On Nespresso's Sleek Vertuo Next With Mil...
- Apple Endorses AVIF Photo Format For A Faster Web ...
- 6 Spooky Google Home Tricks (and Treats) To Try To...
- TikTok Is Reportedly Testing 5-minute Videos
- YouTube Feature Looks To Help You Connect Your Pho...
- The Galaxy S21 Lineup Is Here, With A $200 Price C...
- Google's New Wallet App Is Available Globally, Rep...
- Roman Reigns' Heel Turn At Payback Is WWE's Boldes...
- Google Will Now Let You Limit Ads Around Pregnancy...
- Cut Cords And Clean Better With Up To 45% Off Shar...
- More People Need To Watch This Trippy Sci-Fi Gem O...
- Does Your Next Phone Really Need 5G? How To Decide
- Qualcomm Gets OK To Sell 4G Chips To Huawei, Despi...
- Snag A Kindle Kids E-Reader For As Low As $60 Toda...
- Worldwide Smartphone Shipments Tick Up, Driven Mos...
- Stop Pouring Vinegar Into Your Dishwasher. Here's Why
- 'She-Hulk' Episode 2 Drops Intriguing X-Men Reference
- Studio Ghibli's Movies Ranked To Celebrate Totoro ...
- Celebrate Joann's Anniversary With Up To 60% Off D...
- Best MacBook Pro Alternatives For 2022
- Xiaomi Shares Fall Nearly 6% On IPO
- Qualcomm, Amazon Boost Intel Plan To Leapfrog Chip...
- Snapchat Will Let You Change Your Username Soon
- Twitter Has Finally Announced An Edit Feature
- 'Hug Me' On TikTok: What To Know About The Popular...
- Being A First-Time Homebuyer Can Be Stressful. Her...
- World's Oldest Living Dog Is A Toy Fox Terrier Tha...
- It's 2022, And I'm Still Losing My Apple TV Remote
- Apple's M2 Chip Gives New MacBook Air A Speed Boost
- When Is Amazon Prime Day 2022?
- The Coolest Smartphones Are Hard To Find In The US...
- Faraday Future Only Has 401 Preorders For Its Firs...
- Pokemon Go Xurkitree Raid Guide: Best Counters And...
- WWE 2K20 Is Being Eviscerated By Fans For Its Insa...
- Tesla Recalls Over 54,000 Models Over FSD Update T...
- Scream Trailer: Neve Campbell, Courteney Cox Face ...
- Save Up To $250 On Apple's Powerful 14-Inch MacBoo...
- Behind The 'Flame' Malware Spying On Mideast Compu...
- What Is An Escrow Account And How Does It Work?
- Big Screen Bargain: This 17-Inch Gaming Laptop Is ...
- $500 Moto G Stylus 5G And $400 Moto G 5G Get 50MP ...
- Samsung Slashes Galaxy Z Flip 5G Price By $250 To ...
- IPhone 14, Pixel 7 And Galaxy S23: These Upcoming ...
- Google Maps Adds Toll Road Price Estimates And Bet...
- Oppo PM-3 Review: Groundbreaking $400 Planar Magne...
- Uber Announces Fuel Surcharge As Gas Prices Soar
- Ransomware Cost US Schools $3.56 Billion In 2021, ...
- How To Turn On Caps Lock On A Chromebook
- 20 Viral TikTok Products To Add To Your Shopping List
- Dubious Android Apps May Not Be Malware--just Ads
- Fitbit And Apple Know Their Smartwatches Aren't Me...
- The Best Comedies On Netflix You Absolutely Need T...
- Pilot Like A Pro With $40 Off This Beginner-Friend...
- The White House Issues First Crypto Order. This We...
- How To Use Emojis In Google Docs: It Just Got Easier
- The Worst Credit Card Mistakes You Should Stop Making
- Prototype Gadget Can Scan And Identify Fonts On De...
- Honor's Magic V Foldable Is Another 'creaseless,' ...
- What Is Net Metering And How Does It Work?
- Motorola Announces $1,000 Edge Plus To Compete Aga...
- Can Fuel Up And Pay Later Help Curb Soaring Gas Pr...
- TikTok Is The Most Downloaded App Worldwide In 202...
- Google To Start Sending Rapid Air Raid Alerts To A...
- This Is Verizon's First 5G Smartphone
- Fossil Gen 6 Smartwatch Line Touts Faster Charging...
- 'Lightyear' Review: A Toy Story With A Whole Lot O...
- Last Call: Save Up To $1,000 On Galaxy Z Fold 4 An...
- Asus ROG 2 Gaming Phone Could Launch In July
- Wild VR Gadget Makes Virtual Objects Feel Solid At...
- 2023 Kia Telluride Will Debut April 13 In New York
- Phones With In-screen Fingerprint Scanners: Galaxy...
- Five Toy Drones For Beginners
- OnePlus 6T: Six Features We're Dying To See
- Mortgage Refinance Rates For Aug. 24, 2022: Rates ...
- IOS 15.6: All The IPhone Updates You'll Get After ...
- 6 Things That Didn't Make An Appearance At The App...
- Save Hundreds By Setting Your Water Heater To This...
-
▼
January
(100)
Total Pageviews
Search This Blog
Popular Posts
-
Ukuran tinggi spring bed bigland di, ukuran tinggi spring bed bigland golden, ukuran tinggi dalam meter, ukuran tinggi badan, ukuran tinggi ...
-
Carta de colores de pinturas unidas, carta de colores lanco, pintura popular dominicana carta de colores, carta de colores tropical, carta d...
-
Ukuran panjang lebar majalah tempo, ukuran panjang lebar majalah popular, ukuran panjang lebar majalah rasa, ukuran panjang lebar majalah wa...