June 12, 2012 by Dan Swinhoe
Early last week, the IT newswires lit up the revelation that Iran had suffered another major Malware attack. This threat, known as ‘Flame’ or ‘Skywiper,’ has been dubbed the most complicated piece of malicious software ever created.
Discovered by the Russian Kaspersky Lab, called it a ‘super-cyber weapon, ‘ saying ‘It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.’ The threat has been found across the Middle East but Iran suffered the most, with almost 200 infections found.
Experts say it has been around since 2010 or even earlier. It’s not the first time Iran has been targeted, but the third. The Stuxnet virus attacked Iran’s nuclear program in 2010, and its data-stealing cousin Duqu was discovered in September of last year. Experts studying the codes of these attacks say they are highly likely to have originated from the same source.
An industrial vacuum cleaner for sensitive information
‘Flame’ contains about 20 times as much code as Stuxnet, which caused centrifuges to fail at the Iranian enrichment facility it attacked. It has about 100 times as much code as a typical virus designed to steal financial information. When installed the malware makes up 20 megabytes and contains multiple libraries, SQLite3 databases, various levels of encryption (both some strong and weak) and 20 plug-ins that can be swapped to provide functionality.
Its code is modular, extendable and updatable, and capable of a wide range of covert, malicious behaviours. ‘Flame’ can steal data, capture screen shots, record audio using the compromised system’s microphone-but that just barely scratches the surface It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wi-fi, Bluetooth, USB and system processes. It seems the authors had the ability to change functionality and behaviour as they wished. These c changes can be introduced as upgrades to functionality, fixes, or simply to evade security products.
Still A Threat?
It sounds scary and is a milestone in Malware, but should you be worried? Thankfully, probably not. For one, it doesn’t seem its purpose was to ever interfere, just to watch, making it closer to a wiretap than harmful virus. And by Wednesday Iran’s National Computer Emergency Response Team (Maher) said in a statement that the detection and clean-up tool was finished and ready for distribution to organisations at risk of infection. In all likelihood it seems there was only ever a small chance that your system was infected, because although the list of systems attacked ranged from individuals and businesses to academic institutions and government systems, the general consensus is that this was a targeted attack.
Its targeted nature was on the reasons that it escaped detection for so long. According to PCWorld.com, one vendor predicts there was a delay in it being introduced and becoming active. As many security tools use some form of reputation analysis to help determine if a given program is malware or not (So if the file or command has been seen before without causing harm it’s given a pass and trusted) it’s theorized ‘the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.’
Its complexity has led the scientists who found it to suggest that it must have been a state-led attack. A Symantec blog noted, “As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.” Though they couldn’t say where it originated, the Kaspersky Lab said;
“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group”
So who might have sent it? It’s not my job to point fingers, but much speculation in the media points to neighbours Israel. According to the Jerusalem Post, Israel’s Vice Premier Moshe Ya’alon last Tuesday said that “whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them.” Later he also added, “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” Whether that was a hint or just a boast that they could if they wanted, a piece from RichardSilverstein.com is less subtle and claims a high-ranking source admitted his country was the source. Until proof is found or someone admits to writing it, this is all speculation, but it can’t help what are already frosty intentional relations in the region.
It’s going to take years to fully unravel ‘Flame.’ At the rate these attacks are occurring, by the time they do fully understand it, the next attack will be imminent or already have happened. It might already be lurking in systems right now. Pointing fingers won’t do any good, neither will retaliating with home-grown state Malware. The right and clever course of action here is to tighten up the holes that let ‘Flame’ in, and try to use this as a lesson to prepare for any future attacks. More checks, tighter security and stricter access may be a good way to start.