STE WILLIAMS

Forensic analysis of two command-and-control servers behind the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected – and as links to other mystery sophisticated software nasties.

Flame was built by a group of at least four developers as early at December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations’ International Telecommunication Union.

The malware, which infected Microsoft Windows computers across the Middle East, came to light in May when Iranian authorities found it siphoning off data to its foreign handlers.

Over the last six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.

Despite these efforts, the well-funded Flame handlers left behind a number of clues. “The CC servers were disguised to look like a common content management system, to hide the true nature of the project from hosting providers or random investigations,” a statement by Kaspersky Labs explains. “The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.”

“The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown.”

The command-and-control infrastructure associated with Flame has since been dismantled.

“They [the command servers] are all dead,” Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. “About 35 CC servers were active during the past 2 to 3 years, I believe 5 or 6 were active in May 2012.”

Flame’s control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers were running the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like a common web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded there.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers,” said Alexander Gostev, chief security expert at Kaspersky Lab. “Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale.”

There’s no evidence to suggest that Flame’s command servers were used to control other known cyber-weapons – such as Stuxnet or Gauss – but they were used to operate a mystery malware strain, codenamed “SPE” by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.

A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here.

Eternal Flame

The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.

Flame weighs in at a monster 20MB – 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 collision attack to create counterfeit Microsoft security certificates, allowing bogus operating system upgrades to be pushed under the guise of legitimate Windows Update downloads.

Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran’s controversial nuclear enrichment programme. This information was used by Stuxnet to target its nuke centrifuge cyber-sabotage mission.

The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory while hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced, nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/flame_analysis/