Stuxnet On Steroids

Meet Flame. A cyber threat that makes Stuxnet seem like child's play.

It appears that there’s another cyberattack being directed at Iran:

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries,SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

Flame has apparently been in the wild since at least 2010, which means that its creation may predate Stuxnet and its related viruses. The fact that it went nearly two years without being detected is of no small concern and an indication of just  how sophisticated the program apparently is. Of course, given some of the things that Flame can apparently do, its sophistication is rather obvious:

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

There’s no indication where Flame may have come from, though it does have similarities to Stuxnet in terms of some of the exploits that it takes advantage of in order to gain access to a system and transmit information. Stuxnet, of course, is widely believed to have been a joint U.S.-Israeli project designed primarily to disable as many Iranian nuclear centrifuges as possible. Flame, on the other hand, appears to be primarily designed to surreptisiously conduct espionage. The program even contains a “kill switch” that, once activated remotely removes all evidence of the program and the work that it has done from a system. Clearly not the work of amateurs.

Given where the program has ended up, it’s not illogical to assume that Flame may have had an origin similar to that of Stuxnet. However, it’s also a reminder that we’re entering a new era of cyber-war and that it’s only a matter of time before something is targeted at us.

FILED UNDER: Intelligence, National Security, Science & Technology
Doug Mataconis
About Doug Mataconis
Doug holds a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010. Before joining OTB, he wrote at Below The BeltwayThe Liberty Papers, and United Liberty Follow Doug on Twitter | Facebook

Comments

  1. matt says:

    Mark my words this is only the beginning. Unfortunately those in government will scream for more control of the internet and their fearful minions will demand more ill advised legislature.

    The internet is a cruel dark place and the quicker people realize that the safer they’ll be.

  2. michael reynolds says:

    has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa

    Hmmm, I wonder which country would be behind this? I’m wracking my brains. . .

  3. Jib says:

    The only tin hat dooms day prep I do is keep enough cash around to cover 2 to 4 weeks of living in case the ATM network goes down. Could be something targeting the ATM specifically or just because electricity is out (earthquake, hurricane, etc).

    I think you will see a lot of this kind of stuff in the near future. Its cheap and compared to wars, relatively damage free. It causes massive inconvenience more than anything else. I think you will see more of it in the private sector. The Chinese model of biz run by govt organizations opens the door to all kinds of mischief. The Red Army has a lot of biz interests it might want to protect from foreign competition.

    Remember. what is state of the art today, will be mainstream in a few years.

    For those of you who think that the occupy movement is just a bunch of hippies in drum circles, I invite you to imagine the damage a dedicated group of hackers could do. A decentralized and networked group of educated kids with nothing to do and who are really pissed off at Wall Street.

    Like I said, I keep cash around, just in case something goes wrong.

  4. It’s interesting. In the beginning, when video conferencing cameras were first introduced, they were given physical shutters to slide over the lens. Computer savvy people like Sun Microsystems expected their customers to be wary of a user-facing camera. Now the shutters are all gone, and we have things ranging from WebcamGate to this.

    Personally, I prefer systems with no camera and a detachable microphone …

  5. (The iPad has a user facing camera and no shutter, right?)

  6. Loviatar says:

    When has a weapon ever stayed within the sole purview of the country first deploying said weapon?

    This will not end well for the US or Israel; our first world, highly computerized cultures are much more susceptible to cyber attacks than the above listed 2nd/3rd world cultures. Additionally, a return attack may occur much faster than anticipated given the development speed of the computer science field. Can you imagine with a few small changes versions of the “Stuxnet, Duqu and Flame computer viruses going from attacking Iranian nuclear enrichment centrifuges to attacking American water treatment centrifuges or Israel water desalination centrifuges. Which country do you think will suffer the most harm from having their centrifuges attacked?

    Mark my words this will not end well for the US.

  7. Jib says:

    FWIW, the use of Lua is really interesting. Lua is compiled to byte code and ran on a VM. So you have to install the VM to run Lua. It is ISO-C based so you can build a VM for just about any computer. The VM is register based so you have to compile it for the specific machine you are targeting. Lua has a simple C API and is designed to be embedded into systems. It is used as a scripting tool by a lot of game programmers since it is easy to port the code to different game machines.

    My guess is that the Lua code is the core code and individual modules are written to do specific jobs. The modules make calls to Lua for the library functions. If true, then this is not a virus, its a programming platform. It means an organization built this that plans on multiple dev teams using it over a period of years.

    The real danger here is if the programming spec ever gets loose in the wild. You have a hackers dev stack sitting on potentially millions of machines. Backdoors every where, any one with rudimentry coding skill capable of all kinds of mischief. In terms of cyber crime, it is like replacing your local drug gangs Glocks with fully automated assault rifles.

  8. @Loviatar:

    Too late. China testing cyber-attack capabilities

    @Jib:

    Ultimately the only safety will be in strong systems. And those will evolve as attacks necessitate them.

    (Semantically, I think Flame is a virus with a VM and a nested environment. One could infect that environment, recursively, of course.)

  9. Jib says:

    @john personna: Well, at least we know how we will use all that quantum computing power.

    I wonder how long before the amount of cycles executed by viruses exceeds the amount of cycles executed by ‘real’ software. How long until most of the ‘work’ on the net is being done by viruses, not installed software.

  10. @Jib:

    Related:

    Industry is not providing government with the basic tools it needs to build a secure information infrastructure, say military and intelligence officials.

    “What we need is a secure operating system,” Robert Bigman, chief of the CIA’s Information Assurance Group, said during a panel discussion at the Security Innovation Network showcase in Washington Oct. 26. “We gave up some time ago on the battle to build a secure operating system, and we don’t have one.”

    Source: GCN (http://s.tt/1al2A)

  11. Franklin says:

    @john personna: Heh, well at least *that* Chinese-made military device actually works. Not how we want, of course, but it still works.