Tag Archives: flame virus

Jun 05

Flame malware using Windows Update to spread

Posted on by

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft’s Windows Update mechanism.

Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?

Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company’s Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates “signed” by Microsoft.

Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame’s development and attacks.

Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure’s chief research officer and the first to announce that Flame was abusing Windows Update, called the feat “the Holy Grail of malware writers” and “the nightmare scenario” for antivirus researchers.

Microsoft released a security alert and patch due to the disturbing news that the hugely complex Flame malware has spoofed MS-signed certificates, potentially making Microsoft Update a malware delivery mechanism.

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.
The massive and complex Flame malware, linked to state-sponsored espionage and information-gathering, has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.

Jun 01

New Flame Malware Discovered

Posted on by

Security software firm Kaspersky Lab recently discovered a new malware used as a cyber weapon to attack certain countries.

Worm.Win32.Flame or “Flame” has the ability to steal data such as e-mails, audio recordings, photos, documents, messages and discussions from infected computers.

According to Kaspersky Lab, the captured information is sent to a network of command-and-control servers located in different parts of the world.

It added that Flame is much more sophisticated than the Duqu malware, which sneaks into computers by hiding in documents such as Microsoft Word files.

The new malware is described as having “worm-like” features, and “can replicate in a local network and on removable media if it is commanded by its master.”

Flame occupies about 20 megabytes of space, which Kaspersky Lab said is rather uncommon among malware that are trying to hide themselves from being detected.

It copies radio recordings through an internal microphone, and can use Bluetooth to collect information about discoverable devices near the infected computer.

Kaspersky Lab said Flame has so far infected computers in seven Middle Eastern countries namely Iran, Israel/Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Through its antivirus software, Kaspersky is aware of the virus infecting 600 machines, but Kamluk believes there are probably thousands of machines that were compromised. It can record audio, grab screenshots and monitor keyboard activity and network traffic. It can even record Skype conversations and download contact information from nearby Bluetooth-enabled mobile phones.

Kamluk says it appears the developers and controllers of the Flame malware, which spreads through Microsoft Windows-based computers, were able to use it to obtain vital information use it to “destroy” operating systems, rendering machines “completely broken”.

Flame, Kamluk says, is part of a “small group of malicious applications that can be referred to as ‘cyber weapons’”. With all its modules, the virus is 20MB in size, which is unusually large for malware.

Kaspersky Lab has tried to determine who wrote the software, but admits it hit a brick wall in its investigations. “There was obviously no contact information in the body of the malware, so we tried to find out what it does and where it is controlled from,” Kamluk says. “We discovered dozens of servers located in different countries.”

This post sponosored by 1 to 1 Risk Control IT Consulting in Oklahoma City, Oklahoma

May 31

What is the Flame virus or Flame malware?

Posted on by

The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.

Israel has dismissed suggestions that it might be behind the Flame cyber-attack.

Several media reports linked comments made by the country’s vice prime minister with the malware, which has infected more than 600 targets.

However, a spokesman for the Israeli government told the BBC that Moshe Ya’alon had been misrepresented.

Security experts said it was still too early to pinpoint the source of the attack.

Mr Ya’alon, who is also Israel’s minister of strategic affairs, discussed the attacks on Israel’s military radio station, Army Radio.

“There are quite a few governments in the west that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat – and can possibly be involved with this field,” he said.

“I would imagine that everyone who sees the Iranian nuclear threat as a significant one, and that is not only Israel, it is the entire Western world, headed by the United States of America, would likely take every single measure available, including these, to harm the Iranian nuclear project.”

When asked to clarify Mr Ya’alon’s comments by the BBC, a spokesman for the minister said: “There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus.”

In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.

Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
Related

Researchers at Kaspersky Lab, which first reported the virus Monday, believe Flame was written by a different group of programmers from those who had created other malware directed at computers in the Middle East, particularly those in Iran. But Flame appears to be part of the state-sponsored campaign that spied on and eventually set back Iran’s nuclear program in 2010, when a digital attack destroyed roughly a fifth of Iran’s nuclear centrifuges.

What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”
“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”

How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It’s unclear what the initial point of entry is. “We expect to find a spear phishing e-mail with a Zero-Day exploit,” Schouwenberg said.

How long has Flame been around?
“We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that,” Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National’s International Telecommunication Union for help in uncovering malware dubbed “Wiper” that was stealing and deleting sensitive information on computers in Iran’s oil sector.

How does Flame relate to Wiper?
“Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental,” Schouwenberg said. “So, we have an open mind to Wiper being a Flame plug-in.” Iran’s National Computer Emergency Response Team (CERT), which is called “Maher,” said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran “could be the outcome of some installed module of this threat,” the center said, speculating that attacks in which data from Iran’s gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.

Why wasn’t Flame discovered earlier?
Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.

Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.

This post sponsored by www.osxantimalware.com Antivirus for Mac