Flame elevates security threat of USB drives
Success Flame creators had in using memory sticks will be studied by hackers
By Antone Gonsalves
June 12, 2012 — CSO — While USB drives have long been a security threat, the Flame spying malware brought the use of portable storage devices to a new level of weaponry.
Flame, discovered last month in Iran's oil-ministry computers, used USB ports found on every PC as a pathway to avoid detection by network-guarding security systems. The cleverness of Flame's creators in keeping the malware under the radar was one more example of why it is considered among the most sophisticated espionage-software packages to date.
[Insider (reg. req'd): Extinguishing Flame malware]
Because Flame was looking for highly sensitive data, it had to steal the information from networks without internet connections, yet still be able to connect at some point to a remote command and control server, vendor Bitdefender said in its security labs blog. To do that, Flame would move stolen files and a copy of itself to a memory stick inserted in an infected computer.
When the storage device was plugged into another PC, Flame would check to see if it was connected to the Internet and then copy itself and the stolen files to the new host, which the malware used to compress the data and transmit it to the controller's server over HTTPS.
Flame would not store stolen documents in the new host, unless it was sure there was an Internet connection, Bitdefender said. "This is how it ensures that it has the best chances to call back home and send leaked data to the attacker."
The malware hid in storage devices by naming the folder that contained the malware and stolen data. "Because Windows could not read the name, the folder remained hidden from the user, giving he or she no reason to suspect they were carrying stolen information," Bitdefender said.
"The main idea behind this is something that we have not seen before: the information mule is a person who is used to carry information between two systems," Bitdefender said.
Flame was capable of infecting networked PCs, but that function was turned off to prevent the malware from spreading too far into a network, thereby increasing its chances of detection. Bitdefender acknowledged that the malware creators might also have had an accomplice who acted as a data smuggler in carrying an infected USB drive from one PC to another.
The success Flame creators had in using USB memory sticks will be studied by hackers. "The technicalities of how Flame uses the USB stick is new and shows that attackers who are determined to penetrate deep inside secure environments are using USB devices to gain that access and to exfiltrate the data they discover too," Liam O Murchu, manager of operations for Symantec Security Response, said in an email Tuesday. "Flamer's use of this USB technique shows that this is an avenue of attack that is highly valuable and will be used again and again."