Jump to content

Flame (malware)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 65.197.19.240 (talk) at 20:47, 29 May 2012. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Flame, ,[a] also known as Flamer and sKyWIper,[b] is a piece of computer malware[2][3] that attacks computers running the Microsoft Windows operating system.[4] The program is being used for cyber espionage in Middle Eastern countries.[1][4][5] Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer emergency response team (CERT),[4] Kaspersky Lab[5] and CrySyS Lab of the Budapest University of Technology and Economics.[1] The last of these stated in its report that "sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."[1] According to estimates by Kaspersky, Flame has infected approximately 1,000 machines,[6] with victims including governmental organizations, educational institutions and private individuals.[5] As of May 2012, the countries most affected are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.[2][5]

History

Flame was identified in May 2012 by Kaspersky Lab, MAHER Center of Iranian National CERT, and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunications Union to investigate reports of a virus affecting Iranian Oil Ministry computers.[6] As Kaspersky Lab investigated, they discovered an MD5hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after the name of one of its modules.[6]

According to Kaspersky, Flame has been operating in the wild since at least February 2010.[5] CrySyS reports that the file name of the main component has been observed as early as December 2007.[1] However, its creation date is difficult to determine, as the malware's creators appear to have tampered with the compilation dates for its modules, falsely indicating compilation dates as early as 1994.[6]

Computer experts credit it with an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.[7] At the time, the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.[8] However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware.[6] Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.[6]

On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks.[6]

Specifications

The malware is a fairly large program at 20 megabytes, written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.[5] The malware uses five different encryption methods, and an SQLite database to store structured information.[1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process, and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.[1]

Usage

Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over the LAN or via USB sticks, and can record audio, screenshots, keyboard activity and network traffic.[5] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices.[6] These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[5]

Unlike Stuxnet, which was designed to damage an industrial process, Flame appears to have been written purely for espionage purposes.[9] It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".[10]

Flame contains no built-in end-of-life date when it will deactivate, but allows operators to send a "kill" module that eliminates all traces of its files from a system.[6]

Speculation about origin

According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it."[2] Kaspersky has suggested that the malware may have been created by the same team that designed Stuxnet.[11] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect".[11] The Jerusalem Post wrote that Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible.[11]

See also

Notes

  1. ^ "Flame" is one of the strings found in the code, and possibly describes an attack that exploits a security vulnerability[1]
  2. ^ The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware[1]

References

  1. ^ a b c d e f g h "sKyWIper: A complex malware for targeted attacks" (PDF). Budapest University of Technology and Economics. 28 May 2012. Retrieved 29 May 2012.
  2. ^ a b c Lee, Dave (28 May 2012). "Flame: Massive cyber-attack discovered, researchers say". BBC News. Retrieved 29 May 2012.
  3. ^ McElroy, Damien; Williams, Christopher (28 May 2012). "Flame: world's most complex computer virus exposed". The Daily Telegraph. Retrieved 29 May 2012.
  4. ^ a b c "Identification of a New Targeted Cyber-Attack". Iran Computer Emergency Response Team. 28 May 2012. Retrieved 29 May 2012.
  5. ^ a b c d e f g h Gostev, Alexander (28 May 2012). "The Flame: Questions and Answers". Securelist. Retrieved 29 May 2012.
  6. ^ a b c d e f g h i Zetter, Kim (28 May 2012). "Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers". Wired. Retrieved 29 May 2012.
  7. ^ Hopkins, Nick (28 May 2012). "Computer worm that hit Iran oil terminals 'is most complex yet'". The Guardian. Retrieved 29 May 2012.
  8. ^ Erdbrink, Thomas (23 April 2012). "Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet". The New York Times. Retrieved 29 May 2012.
  9. ^ Cohen, Reuven (28 May 2012). "New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive Information'". Forbes. Retrieved 29 May 2012.
  10. ^ Albanesius, Chloe (28 May 2012). "Massive 'Flame' Malware Stealing Data Across Middle East". PC Magazine. Retrieved 29 May 2012.
  11. ^ a b c "Flame virus: who is behind the world's most complicated espionage software?". The Daily Telegraph. 29 May 2012. Retrieved 29 May 2012.

Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Flame_(malware)&oldid=495014981"