From all indications, it would appear that attackers are continuing to attack and malware authors are carrying on writing malware. The latest bit of evidence to support these conclusions is the discovery of the Flame malware, which, initial analyses show, is an advanced data-stealing tool that is being used in targeted attacks against organizations in Iran, Syria and Palestine, and has experts speculating that Flame was built by a Western intelligence agency or military.
The existence of Flame was revealed on Monday, but the tool apparently has been in existence for more than two years (or possibly five years) and has infected several hundred organizations in various countries in the Middle East. The initial infection vector is still unclear and it’s not known for sure whether Flame uses any perviously unknown vulnerabilities in Windows or other applications. What is known is that Flame is a rather large, complex and well put together piece of malware that follows in the famous footsteps of both Stuxnet and Duqu.
However, researchers are being quite careful to differentiate Flame from its predecessors, both in scope and construction, and say that the newer tool is likely unrelated to either Stuxnet or Duqu. In fact, it looks like Flame has far more differences from Stuxnet and Duqu than similarities. Flame has nearly two dozen separate components, many of which are designed specifically to steal various kinds of information from infected machines. The malware can record audio from the microphone, take screenshots of certain applications and then upload all of that data to a remote command-and-control server via an SSL-encrypted connection.
There are other pieces of malware that have these capabilities and the ability to take screenshots and upload them to remote servers is not unique to Flame. Several remote administration tools such as BO2K and backdoors have employed similar tactics for years. But, the combination of the malware’s capabilities, along with its target list, leads researchers to believe that Flame was designed and built by a government rather than a cybercrime crew.
“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it,” Aleks Gostev, chief security expert at Kasperky Lab, wrote in an analysis of Flame.
The researchers at CrySyS Lab in Hungary, who first discovered Duqu, agreed that Flame, which they call sKyWIper, is the work of a well-funded government.
“The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities. sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found,” they wrote in their analysis.
So what does the discovery of Flame mean in the grand scheme of malware, cyberwar and offensive security operations? It means exactly what you think it means: Government agencies around the world are building and deploying tools to attack one another.
This is not new information, but it’s important to be reminded of it every once in a while for a couple of reasons. First, people need to understand that these kind of operations are happening on a regular, ongoing basis and that, while attack tools such as Stuxnet and Duqu are scary, they’re not unique. Flame, Duqu and Stuxnet are just the ones that we know about. Second, the discovery of Flame after two or five or eight years of use should remind us that the defenses most organizations have in place right now are of little use for detecting custom threats and tools.
Defense is hard, and defending against a team with the time, money and motivation to compromise a select group of targets is no one’s idea of a good time. The discovery of Flame illustrates this point perfectly.