Flame, aka Flamer or sKyWIper

Corrine · Posted: Mon May 28, 2012 14:06 pm Post subject: Flame, aka Flamer or sKyWIper

Flame, aka Flamer or sKyWIper, has been dubbed more complex than Duqu and Stuxnet. In fact, it has been described as "the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

As described in The Flame: Questions and Answers - Securelist :

Quote:

What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

The following quote by Professor Alan Woodward Department of Computing, University of Surrey, was included in the BBC article, Flame: Massive cyber-attack discovered, researchers say :

Quote:

This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.

It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't need to be connected to a network, although it has that capability as well.

This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time.

In other words, we are going to be seeing a lot more of Flame.

Additional References:

_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

Corrine · Posted: Tue May 29, 2012 13:29 pm Post subject:

I've updated my blog post with additional references beyond my initial post above: Flame, aka Flamer or sKyWIper .
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

frapper · Posted: Tue May 29, 2012 15:14 pm Post subject:

Quote:

"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Schouwenberg said in an interview.

Thanks for the links, Corrine. Fascinating reading.

Lost · Posted: Tue Jun 05, 2012 15:14 pm Post subject: spoofing Windows Update

http://news.cnet.com/8301-10805_3-57447277...ditorPicks

Flame virus can hijack PCs by spoofing Windows Update

Using rogue security certificates, the virus is able to exploit Microsoft's Windows Update service to infect unsuspecting computers.
_________________
Micah 6:8 He has showed you, O man, what is good. And what does the Lord require of you? To act justly,
and to love mercy and to walk humbly with your God.

DaveG · Joined: 09 Jul 2003 Posts: 95

Thanks for posting that. This one really scares me, especially the part about infection via Windows Update!

OpenDNS claims to block communications between infected PCs and Flame Command and Control

http://blog.opendns.com/2012/05/29/malware...e-malware/

Also Bitdefender has a free tool to check for and remove Flamer.

http://labs.bitdefender.com/2012/05/cyber-...th-flamer/

DaveG

frapper · Posted: Wed Jun 06, 2012 10:12 am Post subject:

I have all my machines set to connect through OpenDNS. Another layer of security.

Temmu · Posted: Thu Jun 14, 2012 14:33 pm Post subject:

it bothers me to no end that it mimics ms windows update.
most pcs (wisely) use windows update to keep themselves patch.

scary.

Corrine · Posted: Thu Jun 14, 2012 20:26 pm Post subject:

There's been lots of rogues that mimic valid software in names and/or images. Look at this one posted today. Note the use of Windows & Defender in the name, Security Essentials and Security Center in the image:

How to remove Windows Active Defender
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

digger · ๑۞๑ Joined: 29 Mar 2001 Posts: 2656

Corrine wrote:

There's been lots of rogues that mimic valid software in names and/or images.

Yes, but it is quite rare for them to do so using digital signatures that were forged a year before techniques for such forgeries were published.

edit:

DaveG wrote:

OpenDNS claims to block communications between infected PCs and Flame Command and Control

They may be able to provide some protection, but there's only so much they can do as a DNS service, but its good that they help out where they can. It seems like the authors of Flame could easily spread a new version that works regardless of your DNS settings.

Anyway, reports are that the Flame network is shutting itself down, for now...