Flame Malware: From Genesis to the Conspiracy Theory

Thursday, May 31, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

In this article I desire to discuss my many personal doubts regarding the Flame malware, first my idea being that we are faced with a new powerful cyber weapon.

Within hours, the Iranian Computer Emergency Response Team Coordination CenterLab,   CrySyS Lab and Kaspersky Lab all published news regarding the new malware that has been detected that had hit mainly Windows systems in the Middle East region, specifically Iran.

This first information led me think that behind the development of what has been defined as a “very sophisticated cyber weapon” is Israel or a Western Country.

Moshe Ya’alon, Israel’s vice premier, rejects accusations as speculation that indicate Israel is responsible. But this is a story already seen in the Stuxnet case, and all had denied participation while intelligence and military experts reported that Stuxnet was tested at the Dimona nuclear complex in Israel in a joint U.S.-Israeli effort to undermine the Iranian nuclear weapons program.

“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them.”

Richard Silverstein of Israel’s liberal Tikun Olam website, under the headline “The country that brought us Iranian nuclear assassinations, explosions at Iran missile bases, and Stuxnet, is at it again,” suggesting Israeli intelligence might even be using the worm to spy on its own citizens, wrote :

“Israel’s new contribution to Middle East cyberwar. The goal is apparently to infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel’s secret police, including military intelligence,”

The malware is erroneously  defined as “new”, as experts are convinced that it is datable to at least 2010, exactly the same period of its predecessor, Stuxnet. Both malware variants appear to be very dangerous cyber threats, but the complexity of Flame has no precedent.

(click image to enlarge)

Genesis of malware

Researchers on the several teams that are investigating the discovery believe that the two agents were developed by different groups of experts with completely different techniques and are related to totally different projects. Flame is considered more complex than Stuxnet due to its intelligence gathering features, but both are modular software.

I have hypnotized the following scenarios:

  • Two separate development groups sponsored by hostile governments have decided to adopt a cyber military option to steal information from targets and in a second phase attack them.
  • The same government or coalition of states has decided to unleash a powerful attack against Iran’s nuclear program on several fronts with Stuxnet as a powerful distraction to keep hidden over time other agents such as Duqu and the new Flame that could be used for information gathering, but also ready to be used in attacks.

Viewing the source code

Very interesting is the composition of the Flame source code, written in C++ and Lua, which has been published on different websites.  The total size of the package is almost 20 MB, including many different libraries and a LUA virtual machine.

The size is really significant for a piece of malware, and it is justified by the large number of features provided, but how is it possible that an agent of this size has eluded detection for so many years? Why has Lua been used, and what info can we derive from its usage?

To the first question I have no answers, personally I believe it’s incredible how long the malware has been invisible to the security word. For at least two years experts from around the world, following the Stuxnet case, have failed to isolate the malware despite that the world community was on alert. 

The malware was recognized as a powerful tool for cyber espionage, unusual in its composition by size and complexity, all qualities that would make it extremely noisy. Consider also that the antivirus industry evolves daily to respond to cyber threats, however the Flame malware remained transparent to them, a sign that it has changed over time with security systems.

Regarding Lua, its usage led me believe that the developers have great skills, as the choice of the scripting language is mainly motivated by the following factors:

  • Complete portability of the source code and simple integration with C and C++ languages.
  • It is a dynamic programming language.
  • The Lua virtual machine is extremely compact, less than 200Kb.

All these characteristics let me think that we are faced with an ongoing project, open to the development of new modules, and maybe with an offensive purpose, and it is portable, which means that in the future it will be available for new offensive modules that could address different platforms, not only Windows machines.

Response of Security Firms and Antivirus Suppliers

Despite the complexity of the agent, the principal antivirus suppliers have immediately worked on the development of removal kits. Bitdefender released a tool to find and remove the Flamer attack toolkit (Download the 32-bit or the 64-bit removal tools).

Catalin Cosoi, Bitdefender’s Chief Security Researcher declared:

“Flamer is the scariest cyber espionage tool we’ve yet seen. It goes places where other spyware doesn’t go, retrieves information others don’t retrieve, and ensures the infected computer has no privacy whatsoever. Luckily, the Bitdefender removal tool makes it easy to eliminate from your computer.”

Rumors of a Plot

According to some experts, the announcement of the malware detection was first provided by Kaspersky Lab researchers - but Iran claims the discovery - and antivirus providers were ready with a fix. This information together with the malware dating to 2010, would lead me to think that the major security companies were aware of Flame and have been silent because of agreements with Western governments.

Just in the last few months, Western countries have decided to suspend the supply of antivirus systems to Iran as a penalty attempting to force the country to develop its own antivirus system. Why have the antivirus companies not detected it before? Is it a coincidence?

As the Kaspersky team declared, the malware is datable to at least 2010 and it has been isolated only in Middle East area, and no incidents have been reported to western nations' critical infrastructure.

(click image to enlarge)

Why the cyber threat hasn’t impacted worldwide infrastructures in the last couple of years?

The Possible Impact on Critical Infrastructure

Now that the malware has been detected, it has started a global alert regarding its possible impact on critical infrastructure. Flame is a powerful cyber espionage toolkit that could steal sensitive information, and thanks to its modularity, could be instructed to attacks victim's systems.

According to Reuters, a United Nations (UN) agency official has expressed concerns regarding the impact of the malware on critical infrastructure of member states. The UN will provide a detailed alert on the cyber threat and the International Telecommunications Union (ITU) will also coordinate collection of virus samples.

"This is the most serious (cyber) warning we have ever put out," said Marco Obiso, cyber security coordinator for the U.N.'s Geneva-based International Telecommunications Union. They should be on alert..."

Will Flame Have a Direct Impact on SCADA and ICS systems?

According to official reports, none of the variants identified are able to attack industrial control systems, however, concern is high due the complexity of the malware that could allow the agent to change its behavior simply by integrating a module written for the purpose of an attack.

At this time Flame is a powerful tool for information gathering, and there is no evidence that it has components to attack SCADA or ICS This makes it more similar to Duqu that is known to steal information rather than destroying equipment.

The scalability of the malware is not something new, let's remember that there are similar features in Stuxnet and Duqu.  Symantec has reported that Flame appears to be the same worm that hit the Iranian Oil Ministry during the last weeks impacting its facilities at the Kharg Island terminal.

Cyber war is a reality...

Cross-posted from Security Affairs

Possibly Related Articles:
11521
Viruses & Malware
Information Security
malware Iran Cyberwar Attacks Stuxnet Espionage DUQU Flame W32.Flamer
Post Rating I Like this!
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson Your speculations are perfectly reasonable, so I wouldn't call them conspiracy theories. After all, everything published on this malware is raising more questions than answers.

I was skeptical about the association between Flame and STUXNET, but both were apparently operational around the same time, using the same exploits to infect the targets. This suggests the developers behind them had access to the same database of exploits.

'Within hours, the Iranian Computer Emergency Response Team Coordination CenterLab, CrySyS Lab and Kaspersky Lab all published news regarding the new malware'
And I would have put it down to coincidence, but CrySyS Lab had already kind of analysed Flame and posted a 60-odd page report.

Someone on the F-Secure blog suggested the malware might be developed by one or more defence contractor(s), pointing out Northrop Grumman's recent vacancies advertisement for some 'offensive cyber operations' thingy, where the firm was looking for developers with Metasploit experience. I could be wrong, but doesn't Flame work like some mini-Metasploit, with vulnerability scanning and exploit modules?
1338513903
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Hi Michael, I have used a provocatory title to highlight that in this phase we have more questions than answers.
I believe that Flame and STUXNET are not related ... they share only the same target, but I have a lot of doubts.
Frankly I'm amazed how Flame may have been hidden from so many security firms for so long, attacking only a specific geographic area ... really strange the prompt reply of the security companies, many years to detect a noisy malware but a couple of day to produce analysis, documents and removal tool.

Maybe the title is not so absurd
thank you
1338533396
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.