08 June, 2012

Flame Round-up

Updated June 13 with a few more links.

I decided to write a short post with a Frame timeline, links to the related information, and a brief summary of interesting information available at each link. I might update this post if I get comments with additional interesting links or if there are significant new developments. When possible, I'm trying to catalog technical discussion rather than news aimed at a general non-technical audience.

Note that many of the dates, on blog posts in particular, will reflect the last time the post was changed rather than initial posting date. This can be a problem when relying on sites that do not show both a publication and modification date for web publications. I will note when I know of discrepancies in date.

2012 May 28:

Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat: Kaspersky Lab posts information about new malware dubbed Flame. They were investigating incidents related to something known as Wiper on behalf of the ITU and discovered Flame in the process. Kaspersky calls Flame a "super-cyberweapon" and says the primary purpose is cyber espionage. The end of the article includes a link to The Flame: Questions and Answers, a technical FAQ. Judging by the CrySyS report (below), Wiper and Flame could actually be one and the same.

Identification of New Targeted Attack: Dated the same day as the Kaspersky Lab post, the Iranian CERTCC (MAHER) posts information gleaned from an investigation into Flame. They include bullet points listing some of Flame's behaviors and capabilities.

  • Distribution via removable medias
  • Distribution through local networks 
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords 
  • Scanning the disk of infected system looking for specific extensions and contents 
  • Creating series of user’s screen captures when some specific processes or windows are active 
  • Using the infected system’s attached microphone to record the environment sounds 
  • Transferring saved data to control servers 
  • Using more than 10 domains as C&C servers 
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols 
  • Bypassing tens of known antiviruses, anti malware and other security software 
  • Capable of infecting Windows Xp, Vista and 7 operating systems 
  • Infecting large scale local networks
Both Kaspersky Lab and MAHER tie Flame to Stuxnet and Duqu. Kaspersky later referred to this post by MAHER taking place on May 27 rather than date listed on the page, which is May 28.

CrySyS Lab publishes their first version of the 64 page sKyWIper (Flame) technical report, updated to version 1.05 as of May 31. The report states that Flame may have been active for as long as five to eight years at the time of discovery. The report details modules, encryption, activation, propagation, component descriptions, C&C details, scripts, and evasion techniques.

2012 June 01:

OpenDNS provides a timeline of command and control domain registrations. Domains were registered and active as far back as 2008.

The New York Times publishes an article, Obama Ordered Wave of Cyberattacks Against Iran, detailing efforts directed first by the Bush administration and increased by the Obama administration to use cyberattacks to slow Iranian nuclear development. The article ties the attacks most directly to Stuxnet and was adapted from David E. Sanger's new book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.

2012 June 03:

Microsoft issues Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing after revelations that Flame was using a cryptographic collision and terminal server licensing certificates to sign code, allowing spoofing of Windows Update. Microsoft issued an emergency patch that blacklisted the three intermediate certificate authorities.

2012 June 04:

ArsTechnica rounds up links, quotes, and information in "Flame" malware was signed by rogue Microsoft certificate. I will not repeat their work, but instead say that they did a good job providing information along with links to more detailed posts and articles from the various players that have been active in the dissemination of information about Flame.

Kaspersky Lab posts The Roof is on Fire: Tackling Flame's C&C Servers. The post includes a chart comparing Duqu and Flame command and control infrastructure, from choice of OS (CentOS for Duqu, Ubuntu for Flame) to number of known C&C domains (80+ for Flame), and more. They go into great detail about the C&C architecture, including the domains being purchased primarily through GoDaddy, the fake identities used for registration, the technical details of the C&C infrastructure, and a list showing the geographic distribution of infections. OpenDNS's timeline links to this post by Kaspersky Lab, so it was presumably posted around the same day, June 01, then updated later.

2012 June 05:

Bitdefender Labs details how Flame uses USB and old-fashioned sneakernet to move data off systems that are not connected to the Internet and onto systems that have previously connected to Flame's C&C servers. FLAME – The Story of Leaked Data Carried by Human Vector also mentions how Flame is different from much other malware, for instance very large file sizes and no anti-debugging or anti-reversing code.

2012 June 06:

Microsoft Security Research and Defense posts Frame malware collision attack explained. This goes into detail and is well worth reading. Notable is that Windows versions older than Vista would have been vulnerable without the MD5 collision, but newer versions required the collision attack.

ArsTechnica also posts on the subject and links to the same MS post among others in their Flame's "god mode cheat code" wielded to hijack Windows 7, Server 2008. Included is a link to a write-up about a theoretical MD5 collision attack dating back to 2007, which itself was an extension of work from 2004. In 2008, the attack went from theoretical to practical.

Symantec's blog post titled Flamer: Urgent Suicide details remaining Flame C&C servers sending a command to essentially uninstall from infected systems by deleting then overwriting Flame files with random data.

Related to the topic of cyber espionage but not dealing directly with Flame, Google announces that they will warn users of possible state-sponsored attacks.

2012 June 07:

Details start to emerge that Flame used a new collision attack. ArsTechnica posts Flame breakthrough shows Flame was designed by world-class scientists. Marc Stevens and B.M.M de Weger are quoted as saying that the collision attack was new.
“Flame uses a completely new variant of a ‘chosen prefix collision attack’ to impersonate a legitimate security update from Microsoft. The design of this new variant required world-class cryptanalysis,” says Marc Stevens. “It is very important to invest in cryptographic research, to continue to be ahead of these developments in practice.”
This adds to the ever-present but growing evidence regarding the type of resources needed for Flame.

2012 June 11:

Bitdefender Labs get into some great detail on components within Flame, including comparisons to Stuxnet, in Stuxnet's Oldest Component Solves the Flamer Puzzle.
"As mentioned before, atmpsvcn.ocx was believed to belong to Stuxnet: more to the point, its MD5 hash (b4429d77586798064b56b0099f0ccd49) was detected in a Stuxnet dropper.  This irrefutably places it as a Stuxnet component. It is common knowledge that Stuxnet used quite an array of droppers, and one of the oldest such droppers, dated from 2009, also contains the atmpsvcn.ocx component. Inside the dropper, we identified a resource encrypted using XOR 255 (0xFF) that is 520.192 bytes large and has the same hash: b65f8e25fb1f24ad166c24b69fa600a8.

This concludes the first part of the demonstration. There is no doubt about it being a Stuxnet component, but today’s demonstration will shed new light on how it fits in the Flamer puzzle."

No comments:

Post a Comment