• Home
• About
• In the news / Citations
• Articles & Works
• Picture Gallery
• Contacts

"Flame" malware infiltrating Middle East computers: the most complex Cyber Weapon, ever! May 28, 2012

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

• The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
• According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
• Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
• Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
• The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
• Flame includes a piece of code (about 3,000 lines) written in LUA, a not so common occurrence for malware;
• Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
• Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
• Flame may also replicate via local networks using the following:
  1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
  2. Remote jobs tasks.
  3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

  So far

• So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.

[Originally posted on Hackmageddon.com: http://hackmageddon.com/2012/05/28/a-flame-on-the-cyberwarfare-horizon/]

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.

Related articles

• Middle East Cyber War: Revenge Of The Drones (theaviationist.com)

• Subscribe to Blog via Email

  Enter your email address to subscribe to this blog and receive notifications of new posts by email.

• Facebook page

• The Aviationist patch

  

  Send me an email if you want to support this site buying the original TheAviationist.com patch, only available through this website!

  4.33 inch (11-cm) patch on velcro.

• Donations

  Support this website by making a donation

  
• 
• 
• 
• 
• 

• Blog Authors

  

  

  

  

  

  

  

• Categories

  Select Category 9-11 Aircraft Carriers airships Airshow Airspace violations Armed Forces Day Aviation Aviation Safety Bizarre Books Calendar Captured Stealth Drone China Crime & Homeland Security Digital Photography Drones F-104 Farnborough 2012 Flight Simulation Giornata Azzurra Grosseto Hacking Helicopters Information Security Information Warfare Iran ItAF Museum Italian Air Force Italian Navy Libyan Uprising Mali Maritime Security Military Aviation    494FS Deci    F-35    Spring Flag    Vega 2010    Winter Hide 2011 Military History    Falklands War Museums NH90 crash non-military aviation North Korea Operation Odyssey Dawn Operation Unified Protector Osama Bin Laden raid Panoramic Photography Patches Photography Pillars of Defense Podcast Satellite Season's greetings Space Special Operations Stealth Black Hawk Swiss Air Force Syria Turkish RF-4E shot down Uncategorized weapons Yearly summary

• Tags

  Aeronautica Militare Afghanistan aircraft carrier AMI Aviation Safety AWACS Benghazi Decimomannu Electronic Warfare Eurofighter Eurofighter Typhoon F-16 F-2000 helicopter Hornet Iran Israeli Air Force ItAF Italian Air Force Libya Libyan uprising Lockheed Martin Lockheed Martin F-35 Lightning II Military Aviation Mirage 2000 NATO Pratica di Mare Rafale Royal Air Force Sentinel SIGINT Sigonella Spanish Air Force Surface to Air Missile Syria Tornado Tornado ECR Trapani Turkish Air Force Typhoon U.S. Air Force UAV United States Air Force Unmanned Aerial Vehicle USAF

• Top Posts

• Archive of previous posts

  Select Month May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 May 2006 March 2006 November 2005
• 
• 
• 

• Blogroll

  • 102° Gruppo CBOS Virtuale
  • 916 Starfighter
  • Air Devils
  • Airplanes Magazine
  • Associazione culturale 4° Stormo Gorizia
  • Aviopress
  • Decimomannu airbase
  • Flightstats
  • Google Globetrotting
  • Great Circle Mapper
  • Hackmageddon
  • Military Aviation Blog
  • My pics on A.net
  • My pics on JetPhotos.net
  • SAF 21 a website dedicated to the Contemporary Swiss Air Force
  • Scramble
  • Wings over Iraq

• Resources

  • 
  • Aviationintel.com
  • Flight24.com
  • Flightradar24
  • 
  • Information Dissemination
  • LiveATC.net
  • Mil Mode S
  • Mysteryship
  • Planefinder

• On Air

  Click on the thumbnails below to watch the videos of my TV interviews:

  

  

  

• Comments policy

  Visitors can add a comment to every post in the blog. However a few rules must be followed:
  Comments must be signed: Anonymous comments will no longer be accepted. You can use your initials or a nickname, but email addresses are required for commenting even if they will not be published on the blog, nor shared. Comments without email address will not be approved.
  Language and Manners: you can criticize posts and articles in this blog, but comments which include offensive or inappropriate language, or considered by the blog owner to be rude and offensive, will be edited or deleted. Play nice.
  How the Author will respond: comments on this blog will only be responded to in direct response to the blog comment. If you need a private reply by the author, send him an email.
  Blocked Commenters: Anyone who violates this Comments Policy may be blocked from future access and/or commenting on this blog.
  All Rights Reserved: The blog author reserves the right to edit, delete, move, or mark as spam any and all comments. He also has the right to block access to any one or group from commenting or from the entire blog.
  Hold Harmless: All comments within this blog are the responsibility of the commenter, not the blog owner. By submitting a comment on this blog, you agree that the comment content is your own, and to hold this site and Author harmless from any and all repercussions, damages, or liability.
  

• OPSec compliant site

  "Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information" (Wiki).
  Hence, OPSec is to mil ops what, more generally speaking, INFOSec is to information (and information systems). Learn more about INFOSec and its impact on mil operations by visiting the Information Securitysection of this site.
  As a journalist belonging to the Italian Journalists Society (Ordine dei Giornalisti) all the information and reports in this site are provided in accordance with a code of ethics based on the freedom of information right (ratified also by the Italian Constitution and made a right of every person by the Universal Declaration of Human Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms) that takes into proper consideration OPSec implications and sensitiveness of information. Details on which is deemed sensitive in nature is edited, limited or postponedly published; all the information published on this site are carefully checked and were obtained by interviews, researches, studies and analysis of material whose publication was implicitly or explicitly authorized and/or is in the public domain.
  

  
  

  

  

  

• The policy on this site is to credit all images with known sources and to ask specific permission from the original owners of content. The credit and the link should be within the text. If you see an image that you'd like to remove for any reason, or to correct the attribution info - or if you know the source for the "original unknown" images - please send me an email with as much details as possible. When possible, also contents in the Public Domain will be credited. Please consider that all the external contents and images used within a post in this blog are used within the fair use doctrine that allows limited use of copyrighted material without requiring permission from the rights holders for analysis, news reports, studies, etc.
  

• © David Cenciotti

  Contents of this blog/website may not be used withour author's prior written permission. All rights reserved.

• Feeds

• Full
• Comments