Is this Flame hot or just more FUD?

keyboard on fire

The security vendor community is going bonkers over Flame -- said to be the nastiest, most sophisticated piece of malware since Stuxnet and Duqu. Is the attention worth it, or are we seeing another over-reaction from the vendor community? Let's look at what the vendors are saying for this post, and tomorrow morning I'll follow up with more analysis.

Roger Thompson of ICSA Labs wrote an analysis in the company blog, saying:

"Just as with Stuxnet and DuQu, it is a huge piece of incredibly complex malware, and all that is really known about it at the moment is that it is an information gatherer, at a minimum, (although it could probably do just about anything) and has quite likely been around for a least a couple of years, undetected. In other words, it’s been trolling its victim systems for probably two years, gathering whatever it was told to gather, by its unidentified masters. It seems likely, but not certain, that the majority of victims were in Iran, or in other areas of the Middle East, although a good chunk of victims were found in Hungary, of all places. Why Hungary would be a target is not clear to me at this point. It might have been simply collateral damage, but I tend to dislike coincidences. This portends ill for its victims, as one of the tenets of computer security is that if a skilled hacker is in your networks for long enough, you can never get them out again, because they know more about your network than you do, and these hackers were skilled… highly skilled."

Andrew Brandt, director of threat research at Solera Networks, had this to say by email:

“From what I've read, this is like no Advanced Persistent Threat anyone has ever encountered. Flame has been engineered, from the ground up, to steal valuable information over a prolonged period by means of techniques the crimeware makers could not be bothered with. Weighing in at a massive 20MB, the Flame Trojan and its various downloadable components represent an entirely new threatscape not only for businesses but for governments and nongovernmental entities: Any organization, with any valuable information traversing its network, could be a target. Businesses, law enforcement, elected officials, militaries, NGOs -- you are all potential targets. Until the security community can build a greater pool of knowledge about the functions of the malware and the motives of its creators, we all remain at risk. This is no mere password stealer, it's a data siphon.”

McAfee Labs has published a blog post describing the malware in detail. Here’s an excerpt (note: They are calling the malware Skywiper):

"Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”!

"Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

"We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

"Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

- Scanning network resources

- Stealing information as specified

- Communicate to C&C Servers over SSH and HTTPS protocols

- Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc)

- Both kernel and user mode logic is used

- Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes

- It loads as part of Winlogon.exe then injects to Explorer and Services

- Conceals its present as ~ named temp files, just like Stuxnet and Duqu

- Capable of attacking new systems over USB Flash Memory and local network (slowly spreads)

- Creates screen captures

- Records voice conversations

- Runs on Windows XP, Windows Vista and Windows 7 systems

- Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet

- Uses SQLite Database to store collected information

- Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware)

- Often located on nearby systems: a local network for both C&C and target infection cases

- Utilizes PE encrypted resources

"To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex, and robust in its basic structure."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)