Flame Super-Spyware Only One Piece of Larger Puzzle
CREDIT: Fir0002/Creative Commons
The Flame super-spyware discovered this past May is far older than previously thought, and only part of a larger family of state-sponsored malware, most of which has yet to be discovered.
That's according to reports released today by an international team of researchers led by Symantec of Mountain View, Calif., and Moscow-based Kaspersky Lab.
Work on Flame, which infected mainly computers in the Middle East, began at least as early as December 2006, the reports find. Analysis of two of Flame's command-and-control (C&C) servers shows that the servers were coded to control at least three other, unknown pieces of malware, at least one of which has already been released "into the wild."
"For us to know that a malware campaign lasted this long and was flying under the radar for everyone in the community, it's a little concerning," Symantec Security Response researcher Vikram Thakur told Wired News. "It's a very targeted attack, but it's a very large-scale targeted attack."
Symantec and Kaspersky say the three unknown pieces of malware are not the known state-sponsored bugs Stuxnet, Duqu or Gauss.
Command-and-control servers are the invisible puppet masters behind computers that are silently infected. They rarely infect machines directly, but instead push out updated malware to already infected machines and receive relevant data, such as stolen information, from the infected machines.
Neither company would reveal how they got access to two Flame C&C servers, but it's likely that the machines were seized by police in a European country, probably Germany. (German authorities collaborated on the reports.)
Flame is also known as Flamer or Skywiper. It was discovered in late May infecting — and possibly erasing — computers in Iran's oil ministry. Subsequent analysis indicated that Flame had been created as a precursor to Stuxnet, the American-made computer worm that sabotaged an Iranian nuclear facility in 2010.
Flame also used an extremely complex mathematical method to generate a cryptological "hash collision" that enabled it to present itself as Microsoft Windows Update software. As a result, Microsoft has had to revamp its procedure for pushing out software updates and patches, a revision that will be fully implemented in next month's Microsoft "Patch Tuesday."
Today's reports say that preserved traffic logs from one server indicated that the number of infected machines, once thought to be under 1,000, was much higher.
"During a period of just one week (25 March - 2 April), 5,377 unique IPs were seen connecting to the server, the vast majority in Iran: 3,702. What is also surprising is the large number of IPs from Sudan: 1,280," said the blog posting written by Kaspersky's Global Research and Analysis Team.
"If just one server handled 5,000+ victims during a one-week period and given several servers were available, we can estimate the total number of victims for Flame is probably higher than previously estimated, exceeding 10,000."
Symantec's researchers were unable to crack the encryption on a password used to take control of the C&C software, and reached out this morning to the larger community of cryptologists, mathematicians and security researchers for help.
The hashed password value is 27934e96d90d06818674b98bec7230fa, which Kaspersky's Dmitry Bestuzhev was able to solve today as "900gage!@#". Further information should be coming now that the password is known.
Thanks to errors made by the developers of Flame's C&C software, the researchers were able to glean a lot of information from the code they could examine.
For example, four separate programmers left their names or nicknames in the code. Neither report revealed those names, but Symantec referred to them as "D***," "H*****," "O******" and "R***," while Kaspersky replaced the asterisks with the word "censored."
D*** may have done most of the coding drudgework, with more than 30 files associated with his name. However, H***** may have been the team leader, since his work was more sophisticated than the others'.
"[H] censored, was more experienced than the others. He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms," said the Kaspersky blog posting.
The Flame C&C developers, who appear to have had experience programming for Windows as well as the Debian Linux that the Flame C&C code was written in, disguised their code by avoiding any mention of botnets, malware or command-and-control servers.
Instead, the C&C software was designed to look like the content-management system of a news website much like SecurityNewsDaily. Updates to the infected machines were packaged as "news" or "ads" and heavily encrypted, and the entire piece of software referred to itself as "Newsforyou."
Even the look and feel of the software's user interface was bare-bones and offered no clue about the software's true nature.
"[The C&C software control panel] looked like a very early alpha version of a botnet C&C control panel," said Kaspersky Labs. "However, revisiting this picture one more time made everything clear — the attackers deliberately chose this interface.
"Unlike traditional cyber-criminals who implement eye-candy Web interfaces which the average user can easily recognize as a botnet control panel, the developers of the Flame C&C made it very generic and unpretentious."
What else is out there?
Most intriguing were the hints that Flame has siblings yet to be found. The C&C servers were coded to handle four different streams of data coming from five different kinds of client software: "FL," "IP," "SP," "SPE" and a fifth called "RED" that had yet to be developed.
Symantec and Kaspersky agreed that "FL" was Flame, but did not recognize the signatures of the others. They ruled out the previously discovered state-sponsored malware Duqu, Gauss or Stuxnet as matches.
However, one of the "sinkhole" servers, which were set up months ago by security researcher to capture traffic going from the infected machines to C&C servers, detected traffic coming from the "SPE" malware.
"We can confirm the malware known as 'SPE' exists and is currently in-the-wild," wrote Kaspersky Lab. "There are no hits from either the mysterious SP or IP malware."
In addition to Kaspersky and Symantec, the research was carried out by the United Nations' International Telecommunications Union International Multilateral Partnership Against Cyber Threats (ITU-IMPACT) and Germany's Computer Emergency Response Team-Bundesamt für Sicherheit in der Informationstechnik (CERTBund-BSI).