Last week, the online security world was set back on its heels when leading cybersecurity firms revealed the existence of Flame, new malware with a level of sophistication substantially beyond other worms, trojans, and viruses. While most malware relies on a small set of exploits and tries to target users’ personal information or set up an infected machine as a spam-sending zombie, Flame is like an entire malware suite. It’s composed of an unknown number of plug-in modules that its operators can choose to deploy for everything from scanning a user’s machine and monitoring their network activity to taking screenshots, recording audio, logging keystrokes, and even reaching out to nearby mobile devices using Bluetooth. Like Stuxnet and Duqu before it, Flame seems to be a legitimate cyberweapon — and, once again, the target seems to be Iran.
Security experts will be working a long time to fully analyze Flame, but new details are emerging that reveal just how sophisticated Flame is. Where could Flame have come from and — perhaps more importantly — will the technologies and threats included in Flame migrate to mainstream malware?
Sparking a Flame
The Flame malware is currently known by a few different names: “Flame” seems to be the most common, but some researchers also refer to “Viper” and “SkyWiper.” Iran’s computer security agency calls it “Flamer.”
According to security firms like Kaspersky Labs, the CrySyS Lab at Budapest University of Technology and Economics, and McAfee, there are multiple versions of Flame circulating in the wild. In a simple form, Flame appears as a 900K file, and can propagate via local network shares, shared printer spools, and peripheral devices like USB drives. Once the basic version finds a home in a Windows system, it tries to reach out to a pool of as many as 80 command-and-control servers to download a set of additional modules that extend its functionality. Other versions of Flame are bigger — as much as 6MB — and already include several code modules.
Flame does not try to spread at every opportunity; rather, when Flame infects a new machine, it reports back to its operators, who apparently then make a decision about what Flame should do next. Right now it’s not clear how Flame initially gets a foothold in an organization or network. Speculation suggests it may use “spear-phishing” email messages that trick people into following a link, then exploit browser or mail flaws to install software. But infection could happen other ways, too. Microsoft has released a security advisory about Flame using forged security certificates for Terminal Server, along with a software update to block the exploit. It’s possible Flame is using other, previously unknown exploits as well.
According to McAfee, Flame’s main module alone decompiles to over 650,000 lines of C code, and they expect that to get longer as they continue to decompile examples. These lines represent computer-generated source code reverse-engineered from the executable, not the source code use by Flame’s developers — but it serves as a human-readable starting point for analysis.
As Flame collects data, it is diligent about trying to send it upstream to the malware’s operators. This data can include information scanned from local devices (like files, passwords, and contacts), as well as screenshots, audio, and even information about nearby phones. To phone home, Flame launches compromised versions of Internet Explorer: that way, the connections take place in the machine’s “trusted” zone and are more likely to get past local firewalls and network monitoring.
Databases and modules
A good deal of Flame’s capability stems from its use of local databases and plug-in modules that can extend the malware’s capabilities. Modular construction isn’t quite new — Stuxnet, Duqu, and “TildeD” malware family were also modular — but Flame combines that with highly structured databases stored and accessed via the built-in SQLite database. Another unique feature of Flame is that it uses the Lua scripting language to manage access to the databases, and possibly for other functions as well. Although Lua isn’t exactly uncommon (it’s used to handle plug-ins and other functions for everything from Adobe Lightroom to the audio workstation reason to the protein-folding game Foldit) it’s certainly a very unusual choice for malware.
Flame also goes to great lengths to obscure itself. Those databases and all other data are encrypted using several different algorithms (including Blowfish, MD5, and MD4), and the software goes to some lengths to hide “interesting” strings from security researchers and antivirus programs. Instead of seeing a function call that’s the computer equivalent to “snoop around this person’s contact list,” researchers initially see what appear to be random characters. It makes Flame that much harder to figure out.
Flame’s modular architecture means that its operators can constantly alter and enhance its functionality — and download new exploits to infected machines whenever they like. So far researchers have identified nearly two dozen Flame modules. The modules haven’t all been figured out, and researchers aren’t assuming they’ve seen the whole range of modules yet. Among Flame’s most interesting modules so far:
- Taps into a computer’s Bluetooth module and tries to connect to devices near the infected machine. Flame currently seems to target Sony and Nokia devices, but (obviously) the operators can update that functionality at any time. Beetlejuice can also turn the infected machine into a discoverable device, so nearby Bluetooth items check in with it.
- Records audio. The module tries to list all existing hardware audio sources and select a recording device. An audio recording feature seems like it would be about surveillance of an individual or a particular location, effectively turning any computer with a microphone into a bug planted in a particular area.
- Reads local disks. Flame can parse through a variety of file formats, including ZIP archives, PDFs, and Microsoft Office documents. Flame also pokes through normally-hidden areas of the operating system looking for notes and other bits of information, and is particularly interested in what users keep on their desktops — since those, presumably, get used often.
- Seems to be one of a few modules that can take screenshots: they seem to be stored in custom file compressed and encrypted formats for later uploading to Flame’s operators.
- Self-termination routine: when commanded by its operators, Flame can apparently delete itself.
Flame also appears to have one or more modules that look out for antivirus programs, firewalls, and other security software.
How Flame spreads
Flame uses a number of propagation mechanisms — some of which appear to be taken directly from Stuxnet, Duqu and their ilk: It can create autorun files that try to run the malware as soon as they appear on a computer, and will also create a “junction point” directory with a desktop.ini and LNK files that launch Flame as soon as Windows opens the directory. Both techniques are used by Stuxnet, which initially used the autorun trick, then changed to the LNK technique. Flame may also use other, still-unknown exploits to install itself. Researchers are still looking into it.
One of Flame’s modules also handles propagation. Called Munch, the module runs an internal Web server Flame uses to distribute itself. It responds to seemingly innocuous requests for “view.php” and “wpad.dat” — neither of which would raise an eyebrow of a network administrator. (Munch may also scan local network traffic.) So, only one copy of Flame in a particular network or domain needs to phone home to get new instructions or modules. Other copies can pick up the new material locally without accessing the Internet.
Unlike most malware, Flame does not try to spread itself to as many machines as possible. Instead, what’s notable about Flame is how much trouble it takes to avoid detection. Flame avoids traditional (and quickly patched) exploits like rootkits, takes great care to tuck its files away under innocuous names in difficult-to-scan formats, and avoids using suspicious components that would trigger security software. Unlike Stuxnet — which was essentially discovered when it ran amok and spread too quickly — Flame seems to be about targeting a relatively small number of machines and surveilling them extensively.
The result is that no one really knows how long Flame has been around. Some dates gleaned from Flame’s files seem to point all the way back to 2007 — although those could be fabrications — and a few components Flame refers to have been spotted in the wild as far back as December 2007.
Who made Flame?
If one thing is clear, it’s that Flame is not run-of-the-mill malware that could have been developed by a handful of coders in a basement fueled by Red Bull and chatroom boasting. The design and operation of Flame is undoubtedly a well-funded, sustained operation. Some security researchers have speculated Flame represents a multi-million-dollar effort that’s probably the result of at least a few years’ work. In the security world, that almost certainly means it has been created by a nation-state. Although many corporations have the money to pull off an effort like this, they’re far less likely to do so, and even less likely to be able to stay quiet about it.
Flame appears to have been coded in English, but that means almost nothing: a lot of malware coming out of China is also in English. Currently, speculation is focusing on the United States or Israel as potential creators of Flame, particularly since the appearance of Flame coincides with instances of massive data loss in Iran’s oil industry. Speculation has been further fueled by the New York Times reporting the U.S. and Israel jointly developed Stuxnet to cripple Iran’s uranium enrichment efforts.
Implications for mainstream malware
To date, most malware targeting everyday computer users has relied on achieving a large number of infections as quickly as possible — after all, antivirus vendors catch on fast. Those infections usually try to capture personal info — passwords, credit card numbers, etc. — that can be exploited by (or sold to) cybercriminals. Alternatively, malware might set up infected machines to act as zombies in spamming or malware distribution operations. Sometimes, malware does both.
These operations are typically run by criminal enterprises, but they’re opportunistic. The scammers realize their malware will be quickly wiped off the vast majority of computers they infect, so they try to infect as many as possible, hope for the best, then scamper away and move on to the next thing. Criminal organizations that rely on fraud and identity theft are unlikely to invest resources in developing something as labor-intensive and sophisticated as Flame — particularly since it could take so long to pay off.
However, other types of cybercriminals are undoubtedly paying attention. The apparent success of Flame raises the profile of highly-targeted malware. A low-profile, potentially individualized approach — dubbed an Advanced Persistent Threat in computing circles — turns the traditional malware economy on its head: Instead of trying to generate a small amount of money from as many people as possible, targeted malware would seek large payouts from a handful. It also avoids detection. If malware spreads only when operators tell it to spread, antivirus vendors are unlikely to catch wind of it — or recognize it if they do.
Criminals who aren’t averse to blackmail and extortion will note that Flame seems to have been assembled in part from many off-the-shelf components — including a highly portable scripting language, a public domain database, and widely available encryption techniques. All that helps Flame seem innocuous and just another common part of the ecosystem. Malware inspired by Flame wouldn’t have to be so complicated — especially right out of the gate. Further, as technology advances and tools become more sophisticated, the amount of effort needed to create malware with Flame-like capabilities gets lower all the time.
So will Flame or something like it be testing your virtual locks in the near future? Probably not. But businesses, enterprises, schools, and other organizations should already be taking note: not only are they potential victims in the broad malware universe, but it’s getting easier and easier for malware to come after them specifically. Malware is easy to ignore when it only hits oil production in a country halfway around the world, but when it successfully targets your bank, your employer, or your city’s infrastructure, it may feel like a much bigger problem.