Tuesday, May 29, 2012

  • Tuesday, May 29, 2012
  • Elder of Ziyon
Wired reports on a newly discovered cyber weapon that dwarfs Stuxnet in complexity:

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.

Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.

“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created.

Gostev says that because of its size and complexity, complete analysis of the code may take years.

“It took us half-a-year to analyze Stuxnet,” he said. “This is 20-times more complicated. It will take us 10 years to fully understand everything.”

Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems. The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.

Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries. As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.

Kaspersky, however, is currently treating Flame as if it is not connected to Wiper/Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Flame does contain a module named Viper, adding more confusion to the Wiper/Viper issue, but this component is used to transfer stolen data from infected machines to command-and-control servers. News reports out of Iran indicated the Wiper/Viper program that infected the oil ministry was designed to delete large swaths of data from infected systems.

Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet.

Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009. It is widely believed to have been designed to sabotage centrifuges used in Iran’s uranium enrichment program. DuQu was an espionage tool discovered on machines in Iran, Sudan, and elsewhere in 2011 that was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.

But Flame doesn’t resemble either of these in framework, design or functionality.

Stuxnet and DuQu were made of compact and efficient code that was pared down to its essentials. Flame is 20 megabytes in size, compared to Stuxnet’s 500 kilobytes, and contains a lot of components that are not used by the code by default, but appear to be there to provide the attackers with options to turn on post-installation.

“It was obvious DuQu was from the same source as Stuxnet. But no matter how much we looked for similarities [in Flame], there are zero similarities,” Gostev said. “Everything is completely different, with the exception of two specific things.”

One of these is an interesting export function in both Stuxnet and Flame, which may turn out to link the two pieces of malware upon further analysis, Gostev said. The export function allows the malware to be executed on the system.

Also, like Stuxnet, Flame has the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also uses the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. This suggests that the authors of Flame may have had access to the same menu of exploits that the creators of Stuxnet used.

The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
Iran admits losing lots of data to Flame:
Iranian authorities have admitted that malicious software dubbed Flame has attacked it, and instructed to run an urgent inspection of all computer systems in the country.

Iran's MAHER Center said Tuesday that the Flame virus "has caused substantial damage" and that "massive amounts of data have been lost."

The center, which is part of Iran's Communication's Ministry said that the virus' level of complexity, accuracy and high-functionality – noted mostly by the information corrupted – indicated that there is a "relation" to the Stuxnet virus.

Iranian experts said that Flame was able to overcome 43 different anti-virus programs.

While no one knows who is behind "the most sophisticated virus of all times," the bottom line, computer experts say, is that only a state could have developed such a complex virus.
And Israel's Deputy Prime Minister Moshe Ya'alon hinted that Israel might be that state:
"Anyone who sees the Iranian threat as a significant threat will likely take various countermeasures, including, to hurt them," said Deputy Prime Minister, Minister of Strategic Affairs Moshe Ya'alon, in an interview with program "Good Morning Israel" with Golan Yochpaz. "Israel is blessed as a country rich in high technology; these tools we have open all sorts of possibilities to us."
(h/t Yoel)



EoZTV Podcast

Podcast URL

Subscribe in podnovaSubscribe with FeedlyAdd to netvibes
addtomyyahoo4Subscribe with SubToMe

search eoz

Loading...

comments

Speaking

follow me

Follow by Email

Contact

Elder: elder -at- elderofziyon dot com
Mrs. Elder: mrs.elder -at- elderofziyon.com


translate

E-Book

For $18 donation








Sample Text

EoZ's Most Popular Posts Ever

Hasbys!

Elder of Ziyon - حـكـيـم صـهـيـون

This blog may be a labor of love for me, but it takes a lot of effort, time and money. For over 12 years and over 25,000 articles I have been providing accurate, original news that would have remained unnoticed. I've written hundreds of scoops and sometimes my reporting ends up making a real difference. I appreciate any donations you can give to keep this blog going.

Donate!

Donate to fight for Israel!

Monthly subscription:
Payment options



One time donation:



subscribe via email

Follow EoZ on Twitter!

Tweets

Compliments

The Jerusalem Report:"A seemingly indefatigable one-man operation, armed only with a computer, chutzpa and stamina."

Algemeiner: "Fiercely intelligent and erudite"

Omri: "Elder is one of the best established and most respected members of the jblogosphere..."
Atheist Jew:"Elder of Ziyon probably had the greatest impression on me..."
Soccer Dad: "He undertakes the important task of making sure that his readers learn from history."
AbbaGav: "A truly exceptional blog..."
Judeopundit: "[A] venerable blog-pioneer and beloved patriarchal figure...his blog is indispensable."
Oleh Musings: "The most comprehensive Zionist blog I have seen."
Carl in Jerusalem: "...probably the most under-recognized blog in the JBlogsphere as far as I am concerned."
Aussie Dave: "King of the auto-translation."
The Israel Situation:The Elder manages to write so many great, investigative posts that I am often looking to him for important news on the PalArab (his term for Palestinian Arab) side of things."
Tikun Olam: "Either you are carelessly ignorant or a willful liar and distorter of the truth. Either way, it makes you one mean SOB."
Mondoweiss commenter: "For virulent pro-Zionism (and plain straightforward lies of course) there is nothing much to beat it."
Didi Remez: "Leading wingnut"

Interesting Blogs

Categories

Abbas liar Academic fraud administrivia al-Qaeda algeria American Jews Amnesty analysis anti-semitism apartheid arab refugees Arafat archaeology art ASHREI B'tselem bahrain bbc BDS BDSFail Bedouin Beitunia beoz book review breaking the silence Cardozo Chanukah Christians conspiracy theories Cyprus Daphne Anson Davis report DCI-P double standards Egypt Elder gets results ElderToons Electronic Intifada EoZNews eoztv Erekat EU Euro-Mid Observer Fake Civilians 2014 Fatah featured Features fisking flotilla Forest Rain free gaza freedom of press palestinian style future martyr Gary Spedding gaza Gaza Platform George Galloway George Soros gideon levy gilad shalit gisha Goldstone Report Good news Grapel Guardian gunness Haaretz hamas Hamas war crimes hasbara Hasby 2014 Hasby 2016 Hebron helen thomas hezbollah history Hizballah Holocaust denial honor killing HRW Human Rights Humanitarian crisis humor Hypocrisy ICRC Ilan Pappe impossible peace incitement Indonesia international law intransigence iran Iraq Islamic Judeophobia Islamism Israel Loves America Israeli culture Israeli high-tech J Street jabalya jeremy bowen Jerusalem jewish fiction Jewish Voice for Peace jihad jimmy carter John Kerry jokes jonathan cook Jordan Juan Cole Judea-Samaria Kairos Karl Vick ken roth khalid amayreh Khaybar Lebanon leftists Linkdump lumish mahmoud zahar Malaysia max blumenthal McGraw-Hill media bias Methodist Miftah Mohammed Assaf Mondoweiss moonbats Morocco music Muslim Brotherhood Nakba Natural gas Nazi News nftp NGO NIF norpac NYT Occupation offbeat Omar Barghouti Opinion oxfam PA corruption PalArab lies Palestine Papers pallywood pchr PCUSA Peter Beinart Petra MB poll Poster Preoccupied Prisoners propaganda Proud to be Zionist purimshpiel Qaradawi Qassam calendar Rafah Ray Hanania real liberals reference Richard Falk rogel alpher roger cohen roger waters Saudi Arabia saudi vice self-death self-death palestinians sex crimes SFSU shechita sheikh tamimi Shujaiyeh Simona Sharoni SodaStream South Africa Speech stamps Syria Tarabin Temple Mount Terrorism This is Zionism Thomas Friedman Tunisia Turkey UCI UK UN UNDP unesco unhrc United Arab Emirates Unity unrwa UNRWA hate unrwa reports UNRWA-USA Varda Vic Rosenthal Washington wikileaks work accident X-washing Yemen zahran zionist attack zoo Zvi

Blog Archive