[silk] Flame is Lame

Biju Chacko biju.chacko at gmail.com
Tue Jun 12 05:34:12 PDT 2012 

http://www.f-secure.com/weblog/archives/00002383.html

When the Flame malware was found two weeks ago, it was characterized
as 'Highly advanced', 'Supermalware' and 'The biggest malware in
history'.

These comments were immediately met with ridicule from experts who
were quick to point out that there was nothing particularly new or
interesting in Flame.

In fact, the only unique thing in Flame seemed to be its large size.
Even that was not too exciting as analysts went digging for examples
of even larger malware and indeed found them (some malware tries to
look like video files so they carry full-length movies inside their
bodies).

Suggestions that Flame was created by a government and, like Stuxnet
and Duqu, would be the product of a nation-state were met with
ridicule as well.

But let's have a look at what we've learned about Flame over these two weeks.

1. Flame has a keylogger and a screengrabber

They naysayers are unimpressed. "We've seen that before. Flame is lame."

2. Flame has built-in SSH, SSL and LUA libraries

"Bloated. Slow. Flame is still lame."

3. Flame searches for all Office documents, PDF files, Autodesk files
and text files on the local drives and on network drives. As there
would easily be too much information to steal, it uses IFilters to
extract text excerpts from the documents. These are stored in a local
SQLLite database and sent to the malware operators. This way they can
instruct the malware to hone in on the really interesting material.

"Flame is lame"

4. Flame can turn on the microphone of the infected computer to record
discussions spoken near the machine. These discussions are saved as
audio files and sent back to the malware operators.

"Flame is lame, lol"

5. Flame searches the infected computer and the network for image
files taken with digital cameras. It extracts the GPS location from
these images and sends it back to the malware operators.

"Still, Flame is lame"

6. Flame checks if there are any mobile phones paired via Bluetooth to
the infected computer. If so, it connects to the phone (iPhone,
Android, Nokia etc), collects the Address Book from the phone and
sends it to the malware operators.

"Flame is still lame, kind of."

7. The stolen info is sent out by infecting USB sticks that are used
in an infected machine and copying an encrypted SQLLite database to
the sticks, to be sent when they are used outside of the closed
environment. This way data can be exfiltrated even from a
high-security environment with no network connectivity.

"Agent.BTZ did something like this already in 2008. Flame is lame."

8. When Flame was now finally caught, the attackers have been busy
destroying all evidence and actively removing the infections from the
affected machines.

"Doesn't prove anything. Lame."

9. Latest research proves that Flame is indeed linked to Stuxnet. And
just one week after Flame was discovered, US Government admitted that
they had developed Stuxnet together with the Israeli Armed Forces.

"You're just trying to hype it up. Still lame."

10. Flame creates a local proxy which it uses to intercept traffic to
Microsoft Update. This is used to spread Flame to other machines in a
local area network.

"Lame. Even if other computers would receive such a bogus update, they
wouldn't accept it as it wouldn't be signed by Microsoft".

The fake update was signed with a certificate linking up to Microsoft
root, as the attackers found a way to repurpose Microsoft Terminal
Server license certificates. Even this wasn't enough to spoof newer
Windows versions, so they did some cutting-edge cryptographic research
and came up with a completely new way to create hash collisions,
enabling them to spoof the certificate. They still needed a
supercomputer though. And they've been doing this silently since 2010.

"b&"

And suddenly, just like that, the discussion on whether Flame is lame
or not b&vanished.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list