The Murky Origins of Flame

Flame, also known by the names Flamer and Skywiper, was at first widely believed to have initially appeared in 2010. However, evidence has mounted that the malware was in existence before then. Kaspersky Lab for example has found that some domains used by Flame for command and control (C&C) were registered as early as 2008. In addition, researchers with the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics have said the main component of the malware had been observed in the wild in 2007.

Flame propagates in a number of ways. For example, it spreads across networks using stolen credentials as well as the Microsoft Windows Print Spooler Service remote-code-execution vulnerability also exploited by Stuxnet. It can also spread via removable media using a specially crafted autorun.inf file, as well as the Windows shortcut LNK/PIF file execution vulnerability (CVE-2010-2568), which are both also used by Stuxnet.

Flame’s main purpose is to conduct cyber-espionage. Kaspersky Lab describes the malware as a backdoor Trojan with worm-like features and modules that enable a variety of capabilities, ranging from the ability to record audio to the ability to take screenshots and capture keyboard activity and network traffic. Once on an infected system, Flame can spread to other systems over a local network or via USB stick.

There has been much speculation about whether or not the Flame malware is related to Stuxnet and Duqu, particularly due to the high percentage of Flame infections in Iran. Flame does use some of the same vulnerabilities exploited by Stuxnet, namely MS10-046 and MS10-061, which have both been patched by Microsoft. However, there are also notably differences. For example, Kaspersky Lab reports that while all the Duqu C&C proxies were CentOS Linux hosts, all of the known Flame C&Cs are running Ubuntu. Furthermore, Stuxnet was created with specific programming meant to sabotage centrifuges, whereas Flame seems to have been meant for gathering information.

Microsoft recently revealed that components of the Flame malware were signed with a certificate that linked to the Microsoft Enforced Licensing Intermediate PCA certificate authority and, ultimately, to the Microsoft Root Authority. According to Microsoft, this code-signing certificate came by way of the Terminal Server Licensing Service the company operates to issue certificates to customers for ancillary PKI-based functions in their enterprise. Because such a certificate could allow attackers to sign code that validates it as having been produced by Microsoft, the company issued an update to address the situation.

Lua is a lightweight multi-paradigm programming language common in video games. Lua is also used in NMAP (Network Mapper), a well-known network mapping and testing tool. While some say the use of Lua is one of the things that makes the virus interesting and sophisticated, others say its presence indicates the malware may be the work of amateurs and not a nation-state. The top-level Lua scripts are broken up into several categories, including: ATTACKOP (for attacking another machine and moving onto it), CRUISE (credential stealer) and CASafety (checks for antivirus software).

The Bluetooth spying functionality in Flamer is encoded in a module called “BeetleJuice” that scans for all Bluetooth devices in range and then records the details of the device, such as its identity and specifications. Then the malware configures itself as a Bluetooth beacon. These capabilities could potentially be leveraged by the attackers in an effort to eavesdrop on Bluetooth devices or perform other acts. For example, according to Symantec, with the Bluetooth beacon turned on and the details of a particular compromised device available in the description field, it is “straightforward” for the attacker to identify the physical location of a W32.Flamer compromised computer or device.

A recent report in “The New York Times” laid responsibility for Stuxnet at the door of the United States, claiming that President Barack Obama specifically ordered cyber-attacks against Iran. Given that the majority of the infections of Flame occurred in the Middle East and some of the same vulnerabilities exploited by Stuxnet are used by Flame, there has been speculation that the United States may have been behind Flame as well. No conclusive evidence of this has been made public.