Tuesday, June 05, 2012

More Flame info - not as impressive as the hype

From YNet:
Researchers at the Kaspersky Lab said Tuesday that one of the Flame virus' main objectives was to copy confidential technical drawings pertaining to Iran's secret military and nuclear facilities.

"Flame" hit Iran in late may and has since been hailed as "the most sophisticated cyber-bomb to date."

Tehran said it was able to contain the malware, but had admitted that significant amounts of data have been corrupted.

According to the BBC report, the hackers controlling Flame "used a number of complex fake identities in order to carry out their plans."

Kaspersky's researches said that the fake identities – complete with fake addresses and billing information – were "used to register more than 80 domain names used to distribute the malware."

Researchers were also able to put together statistics on the extent of the Flame strike. The information was gathered via "sinkholing."

Vitaly Kamluk, a senior researcher at Kaspersky, explained that, "Sinkholing is a procedure when we discover a malicious server - whether it is an IP address or domain name - which we can take over with the help of the authorities or the (domain) registrar.

"We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them," the BBC quoted him further.

Kamluk added that the attackers had a "high interest in AutoCad drawings, in addition to PDF and text files"; further cementing reports suggesting the Flame was on a complex reconnaissance mission.

"They were looking for the designs of mechanical and electrical equipment," Prof. Alan Woodward, from the University of Surrey, told the BBC.
The thing is, Kaspersky seems to be overstating Flame's sophistication.

The Register, a well-regarded British security publication, says:
Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code.

Rather than redefining cyberwar and cyberespionage, as Kasperky researchers initially claimed amid Iranian warnings that the malware was "a close relation to the Stuxnet and Duqu targeted attacks", Flame is bloated and overhyped, according to rival security vendors.

Flame is a precise attack toolkit rather than a general-purpose cyber-weapon, the argument goes. It hasn't spread very far and might well be restricted to systems administrators of Middle East governments.

"While it really doesn't do anything we haven't seen before in other malware attacks — what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system," Patrik Runald of Websense explains.

"Also, Flame has been operating under the radar for at least two years, which counter-intuitively may partially be attributed to its large size."

...A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.
As far as registering Internet domains with fake credentials - that is ridiculously easy to do, hardly an indication of a super spy network. Many domain registrars don't require proof of identity.

No doubt Flame was created by a government, and no doubt it is powerful, but the original description was filled with hype. Its looking for AutoCAD drawings, not to mention its Bluetooth sniffing, indicates it is an espionage tool.

It is not unusual for directed malware, meant only for a small geographic area and only infecting a comparatively tiny number of machines, to not be noticed for years.

Which means that it is entirely possible that there are lots of Flames out there.