Flame One Year Later

It’s been a year since the first reports of the Flame malware surfaced, and looking back at the 12 months since then, it seems more and more each day that the discovery of Flame should be seen as a seminal event in the evolution of malware.

It’s been a year since the first reports of the Flame malware surfaced, and looking back at the 12 months since then, it seems more and more each day that the discovery of Flame should be seen as a seminal event in the evolution of malware.

When Flame emerged in May 2012, some of the outside analysis concluded that it was nothing special and was just another malware toolkit. It was seen by some as a huge, over-engineered piece of software that didn’t do anything that hadn’t been done by hundreds or thousands of other pieces of malware over the years. It infected machines, stole data and sent that data to the attackers. Not very thrilling.

But then a funny thing happened. As details of the inner workings of Flame began to trickle out, a picture started to emerge of a highly sophisticated and precisely engineered espionage tool. There are a number of interesting things about Flame, as it turns out, but the big one, the thing that really put Flame on the Mt. Rushmore of malware, is the forged certificate. Malware writers have been using forged or stolen digital certificates to give their wares legitimacy for years now, mainly to sign malware and help get it past antivirus scanners. But the Flame authors went several steps beyond that with their creation.

Some of Flame’s components were signed with a digital certificate that appeared to come from Microsoft. The attackers used a weakness in Terminal Services that allowed them to use digital certificates originally designed for other purposes to sign their code. Pretty slick. But the really clever bit was the method the attackers used to generate the forged Microsoft certificate. The Flame creators didn’t just steal a certificate, they took the time to find a hash collision in MD5 that enabled them to produce a legitimate Microsoft certificate. The attackers then used the certificate to sign executables that were disguised as Microsoft updates and used to spread Flame within an infected network. They essentially performed a man-in-the-middle attack on Windows Update in order to spread their malware.

“The Microsoft Hydra extension is marked as ‘critical’ and this is crucial to why the attacker needed to perform a collision attack.  In X.509 parlance, if an extension is essential to the proper validation of a certificate chain, it must be marked critical. The behavior of a crypto library upon encountering an extension marked critical that it does not understand is to fail validation. The Crypto API in Window Vista and later versions of Windows behave this way and the certificates fail validation on those platforms.  Hence, if the attacker wanted a certificate that worked on all versions of Windows they needed to remove this field,” Microsoft’s Jonathan Ness wrote in an analysis of the attack.

The discovery of the hash collision and the method the attackers used for spreading Flame immediately changed the public perception of Flame. Now, the malware was seen as a landmark, a significant milestone in the development of such tools and something that was almost certainly the work of a government or state-funded group of developers.

With the perspective of of a year’s time, we can see that Flame was indeed a turning point. Not just in the technological advancement that it represented, but also in the deployment of similar espionage tools. Flame was used in a series of targeted attacks against organizations in the Middle East, mostly in Iran, Israel and Palestine, and it’s mission was to steal sensitive information and ship it off to the attackers. It accomplished that mission remarkably well and was active for more than a year before security researchers discovered it. In the year since Flame’s discovery, researchers have come upon a steady stream of surveillance tools and all indications are that the production and deployment of such malware is increasing.

The other thing that’s emerged in the last year is the general acknowledgement that the people writing and using these tools aren’t malware gangs or hackers for hire, but governments, intelligence agencies and law enforcement agencies. That’s a major shift in the landscape, and it muddies the waters in a lot of different ways. Security researchers in recent months have been exposing the digital surveillance tools employed by governments around the world and the groups that these governments are targeting. The scale and scope of the digital surveillance occurring today is staggering, and it’s not just major powers such as the United States, China and the U.K. who are involved. Consider the following passage from Citizen Lab’s report “For Their Eyes Only”:

“While hacking as a means of data-gathering has existed since the inception of the Internet, in the last few years the rise of an industry providing commercial intrusion and malware as lawful interception products has grown. Once a boutique capability possessed by few nation states, commercial intrusion and monitoring tools are now being sold globally for dictator pocket change.”

Flame was a huge deal when it was discovered–and remains so today–not just because of its sophistication, scale and the use of the hash collision, but also for the fact that a group somewhere went to the trouble of writing it in the first place. With commercial tools readily available, the idea of bothering to write your own spyware is a bit outdated now. If Stuxnet ushered in the era of government-sponsored malware use and Flame represented a quantum leap forward in the technology, then the commercialization of spyware may be the development that begins to make those custom tools unnecessary.

 Image from the Flickr photostream of Blmurch.


Suggested articles