Sunday, June 3, 2012

Flame Attack : Details Emerging Slowly.

More details about the Flame malware are emerging as security analysts study the infection.

The latest numbers from Kaspersky Lab researcher suggest around 1,000 Windows PCs have been infected, the vast majority of which are in the Middle East. The security company reported 189 infections in Iran, 98 in Israel/Palestine and 32 in Sudan identified so far. Infections have been discovered in a wide range of sectors, including academia, private companies, and government.

Researchers have confirmed that Flame, Flamer and Skywiper are all the same thing, after some initial confusion as it was given three different names by different research groups.

The malware is best described as a cyber-espionage toolkit, and is written partly in the Lua scripting language with compiled C++ code linked in, with five different encryption methods and a SQLite database to store structured information. The malware is controlled by a network of command and control servers, and data was regularly sent from compromised PCs to C&C servers through a covert SSL channel.

While many initial reports hyped up the complexity of the malware, closer analysis of Flame suggests that the tools it uses are not that complex, but rather the ways the whole package works together is the most sophisticated aspect of its design.

Justin Doo, security practice director for MENA region, Symantec, told the day after the malware emerged that Flame gives who ever is controlling the malware a range of different tools.

"It is particularly sophisticated in terms of the capabilities it has. Depending on who is controlling the malware depends on its behaviour. In one instance it may record voice, through the microphone, and in another instance it may be a Trojan so it looks like an application but it is doing something completely different," he said.

Flame is able to steal documents, take screenshots of users' desktops, spread via USB drives, disable security vendor products, turn on PC microphones, turn on Bluetooth and search for nearby Bluetooth devices and intercept network traffic. It has also been discovered that Flame can record Skype conversations.

The malware is also able to identify which anti-virus software, if any, is in use on its host machine, and modifies behaviour to avoid detection.