U.N. Warns Member Countries of 'Flame' Cyber-Spying Malware

 
 
By Brian Prince  |  Posted 2012-05-29
 
 
 

The United Nations' International Telecommunication Union is issuing a warning for nations to be on guard for the newly identified Flame malware, according to a report.

"This is the most serious [cyber] warning we have ever put out," Marco Obiso, cyber-security coordinator for the U.N.'s Geneva-based International Telecommunications Union, told Reuters.

 

Also known as Skywiper and Flamer, the malware has been discovered on systems in the Middle East, and has hit Iran the hardest. The discovery prompted Iran€™s National Computer Emergency Response Team to issue an alert stating the malware was tied to multiple incidents of €œmass data loss€ in the country€™s computer networks.

 

Thought to be a tool for cyber-espionage, security researchers say the malware has been traced back to at least 2010, with experts at the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics stating it may have been operational for five years or more.

 

According to Kaspersky Lab, Flame is a backdoor Trojan with worm-like features that allow it to propagate itself on local networks and removable media. When a system is infected, the malware is capable of a number of operations, including taking screenshots, recording audio conversations and intercepting network traffic.

 

"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar €˜super-weapons€™ currently deployed in the Middle East by unknown perpetrators," Alexander Gostev, head of Kaspersky Lab's Global Research and Analysis team, blogged May 28.

 

"Flame can easily be described as one of the most complex threats ever discovered. It€™s big and incredibly sophisticated. It pretty much redefines the notion of cyber-war and cyber-espionage."

 

When all of its modules are installed, the malware takes up 20 MB in data storage. It also contains code written in Lua, a programming language uncommon in the cyber underworld.

 

"Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code," Gostev explained. "Many parts of Flame have high order logic written in LUA€”with effective attack subroutines and libraries compiled from C++€¦usage of LUA in malware is uncommon."

 

According to Symantec's Security Response team, the modular nature of the malware suggests its developers created it with the goal of maintaining the project over a long period of time€”most likely along with a different set of individuals using the malware.

 

"The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to Symantec. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry."

 

According to Gostev, there does not appear to be any overarching theme in regards to targets, indicating that Flame may have been designed for more general cyber-espionage purposes. He speculated that Flame was developed separately from Duqu and Stuxnet and noted that Flame's developers did not use the Tilded platform used for Duqu and Stuxnet. However, he noted that Flame makes use of the same print spooler vulnerability exploited by Stuxnet. It also abuses AutoRun, just like Stuxnet.

 

"Currently there are three known classes of players who develop malware and spyware: hacktivists, cyber-criminals and nation states," Gostev noted. "Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cyber-criminals and hacktivists, we come to the conclusion that it most likely belongs to the third group€¦the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."

 

To perform a quick manual check for Flame, users can search for the file ~DEB93D.tmp. If it is present, the computer either is or has been infected with flame, Gostev blogged today. Also, users can check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages. If mssecmgr.ocx or authpack.ocx is present, this is another indication the computer is infected, he added.

Rocket Fuel