[LINK] Flame: "US Building Cybersecurity Capability"?

[stephen at melbpc.org.au]

Marghanita notes,

> Yesterday (the US) took a step forward in better understanding .. how
> we can improve our ability to protect against cybersecurity threats...


Yes. As the best defense is said to be attack, one would not at all be
surprised if America has created, "the most complex malware ever found.
Security researchers believe that it's created or sponsored by a nation 
state."

Researchers identify Stuxnet-like cyberespionage malware called 'Flame'

By Lucian Constantin (IDG News Service) 28 May, 2012
http://www.arnnet.com.au/article/425914/researchers_identify_stuxnet-
like_cyberespionage_malware_called_flame_/


A new, highly sophisticated malware threat that was predominantly used in 
cyberespionage attacks against targets in the Middle East has been 
identified and analyzed by researchers from several security companies 
and organizations.

According to the Iranian Computer Emergency Response Team (MAHER), the 
new piece of malware is called Flamer and might be responsible for recent 
data loss incidents in Iran. 

There are also reasons to believe that the malware is related to the 
Stuxnet and Duqu cyberespionage threats, the organization said on Monday.

Malware researchers from antivirus firm Kaspersky Lab have also analyzed 
the malware and found that while it is similar to Stuxnet and Duqu in 
terms of the geographic propagation and targeting, it has different 
features and it is, in many ways, more complex than both of those threats.

Flame, as the Kaspersky researchers call it, is a very large attack 
toolkit with many individual modules. It can perform a variety of 
malicious actions, most of which are related to data theft and 
cyberespionage.

Among other things, it can use a computer's microphone to record 
conversations, take screenshots of particular applications when in use, 
record keystrokes, sniff network traffic and communicate with nearby 
Bluetooth devices.

One of the toolkit's first versions was likely created in 2010 and its 
functionality was later extended by leveraging its modular architecture, 
said Vitaly Kamluk, chief malware expert at Kaspersky Lab.

Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in 
size were already considered large by security experts. The size of all 
Flame components combined adds up to over 20MB and one file in particular 
measures over 6MB alone, Kamluk said.

Another interesting aspect of the threat is that some parts of Flame were 
written in LUA, a programming language that's highly uncommon for malware 
development. LUA is often used in the computer gaming industry, but 
Kaspersky Lab hasn't seen any malware samples before Flame that were 
written in the language, Kamluk said.

Flame spreads to other computers by copying itself to portable USB 
devices and also by exploiting a now-patched Microsoft Windows printer 
vulnerability that was also leveraged by Stuxnet.

The Kaspersky researchers haven't found any evidence of an unknown (0-
day) vulnerability being exploited by this malware, but Flame is known to 
have infected a fully patched Windows 7 computer, so they don't 
completely exclude the possibility, Kamluk said.

When infecting computers that are protected by antivirus programs, Flame 
avoids performing certain actions or executing malicious code that might 
trigger a proactive detection from those security applications. This is 
one of the reasons that the malware flew under the radar for so long, 
Kamluk said.

By checking the data from its worldwide network of malware sensors, 
Kaspersky Lab has managed to identify current and past Flame infections 
in the Middle East and Africa, predominantly in countries like Iran, 
Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

However, antivirus vendor Symantec also identified past infections in 
Hungary, Austria, Russia, Hong Kong and the United Arab Emirates. The 
company doesn't dismiss the possibility that these infection reports 
originated from laptops that were temporarily taken abroad by travellers.

It's hard to tell what type of information the Flame authors are after, 
giving the wide variety of data that the malware can steal and send back 
to the command and control servers. A decision regarding which of the 
malware's modules and functionality to use is probably taken by the 
attackers for each particular target on a case-by-case basis, Kamluk said.

The targeted organizations don't seem to follow an industry-specific 
pattern, either. The malware has infected computers belonging to 
government agencies, educational institutions and commercial companies as 
well as computers owned by private individuals.

As with Duqu and Stuxnet, it's not clear who created Flame. However the 
malware's complexity and the amount of resources required to build 
something like it has led security researchers to believe that it was 
created or sponsored by a nation state.

Kaspersky's researchers didn't find any evidence that could tie the 
malware to a specific country or even region. However, there is some text 
written in English inside the code, Kamluk said.

"Examination of the code also leads Symantec to believe the malware was 
developed by a natively English speaking set of developers," a Symantec 
spokesman said via email. "No further observations have been made which 
could assist in locating the origin of the malware."

Researchers from the Laboratory of Cryptography and System Security 
(CrySyS) of the Budapest University of Technology and Economics, which 
played an important role in the discovery and analysis of Duqu, have also 
released a report on the Flame malware, which they call "sKyWIper."

"The results of our technical analysis support the hypotheses that 
sKyWIper was developed by a government agency of a nation state with 
significant budget and effort, and it may be related to cyber warfare 
activities," the CrySyS researchers said in their report. "sKyWIper is 
certainly the most sophisticated malware we encountered during our 
practice; arguably, it is the most complex malware ever found."

--

Cheers,
Stephen