Flame/Skywiper Keeps Cyber Arms Race Alive
The 'Skywiper' cyberweapon is the latest sophisticated toolkit targeting computers in Iran.
CREDIT: Oleksiy Mark/Shutterstock.com
The "Skywiper" malware is the latest weapon, but certainly not the last, keeping the cyber arms race alive.
Discovered yesterday (May 28), the Skywiper cyberweapon (also called Flame or Flamer) is a sophisticated, complex and large information-stealing toolkit that for months has been infecting specific targets in the Middle East and Eastern Europe. The weapon is designed to steal data, copy passwords, capture screen grabs and perform a variety of other nefarious tasks before sending the siphoned information to command-and-control servers.
At 20 megabytes (20 times the size of the infamous Stuxnet worm) and sharing code similar to both Stuxnet and Duqu, Skywiper is a serious development in what security experts say is an ongoing cyber arms race.
The race is under way
"Unlike Stuxnet and Duqu, which were very specific targets in certain industries, [Skywiper] was being used to infect various types of industries, regions and organizations," Roel Schouwenberg, senior researcher at the security firm Kaspersky Lab told SecurityNewsDaily. "Given the scope and quantity of the operation and the sophistication of [Skywiper], it definitely shows that the cyberwar landscape is extremely real and large."
Mikko Hypponen, chief research officer for the security firm F-Secure, agrees. He told SecurityNewsDaily that Skywiper "proves that [the] cyber arms race is indeed in progress and that Stuxnet was the game changer." Hypponen said that because Skywiper "has only hit targeted systems, it's not a problem for 99.9 percent of the systems online." But for those computers that were targeted, Hypponen said, "the situation is dire. It can do anything at all on those systems."
Dave Marcus, director of advanced research and threat intelligence for McAfee, told SecurityNewsDaily that while it's still too early to come to any firm conclusions about Skywiper, or to compare its significance to Stuxnet and Duqu, the impact is a very serious one for those affected by the malware.
"If you are the intended victim, [Skywiper is] very dangerous," Marcus said.
The work of a nation state
Skywiper's sophistication — it has been able to evade detection by anti-virus software — coupled with the geographic makeup of its targets, is proof, Schouwenberg said, that the cyberweapon has some state-sponsored heft behind it. To back up his claim, Schouwenberg explained the different sects of malware creators and the tools each group uses.
"Currently, there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states," he told SecurityNewsDaily. "[Skywiper] is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group."
"In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it," he added.
In a blog post, Graham Cluley from the security firm Sophos wrote, "If I was a betting man, I'd probably put money on a state agency being involved in the creation of Flame. This seems to be being reported as fact, but there certainly isn't any proof yet."
None of the experts ventured a guess as to who they believe is responsible for developing and spreading Skywiper.
Is the AV industry to blame?
Hypponen, from F-Secure, believes anti-virus software should have uncovered Skywiper.
"It [Skywiper] was written by professionals and it goes to great lengths to appear as a normal program," he said, "but still, after being in the wild for years and evading detection from all the anti-virus products, we failed."
Schouwenberg doesn't quite agree, and instead shifts the focus to the strength of Skywiper, not the weakness of the anti-virus industry.
Skywiper is "'a covert operation backed by millions of dollars in funding," he told SecurityNewsDaily. "Anti-virus' main focus is dealing with cybercrime. So I don't think the late discovery of this very complex malware, which is not regular cybercrime, is a huge shock."
McAfee's Dave Marcus backed Schouwenberg's assertion that Skywiper slipped under the radar not because of deficiencies in the AV industry, but because "targeted malware, by design, is [stealthy]."
"AV is very good at dealing with known threats, known threat attack vectors and types," Marcus said. "When an attacker comes up with new functionality or evasions, it does take time to come up with solutions for them."
Many of the top anti-virus vendors, including McAfee, Symantec, Sophos, Kaspersky Lab and Bitdefender, have updated their virus definitions to include Skywiper/Flame. But any specific details of Skywiper and its attack methods could take years to analyze.
Skywiper's modules include numerous libraries "designed to handle SSL traffic, SSH connections, sniffing, attack, interception of communications and so on," Schouwenberg said. "Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take years to fully understand the 20MB of code of [Skywiper]."
In the meantime, Schouwenberg and Marcus say Skywiper portends more nasty malware to come.
"Given the evolution of cyberweapons, from Flame to Duqu and Stuxnet, we predict this is only the beginning of cyberweapons to appear," Schouwenberg said.