Spy malware infecting Iranian networks is engineering marvel to behold
by Dan Goodin - May 29 2012, 3:36pm EDT
Iranian systems were by far the most targeted by Flame, an advanced piece of surveillance malware.
Researchers are still wrapping their brains around the mind-blowing "Flame."
Malware recently found infecting Middle Eastern networks is so complex and sophisticated that it's probably an advanced cyber-weapon unleashed by a wealthy country to wage a protracted espionage campaign on Iran, researchers from some of the world's leading security companies said.
The malware, dubbed "Flame" after one of the dozens of modules available for it, immediately evoked memories of Stuxnet, another piece of advanced malware that disabled uranium centrifuges
in Iranian nuclear plants. As sophisticated as Stuxnet and a related piece of espionage software known as Duqu
are, the latest piece of malware is probably orders of magnitude more sophisticated. When fully installed, its size is a whopping 20MB, and it also uses SQLite
databases and dynamically generated code that uses the Lua programming language
. Such characteristics suggest the malware, which Kaspersky estimates has been found on about 1,000 computer systems so far, could only have been written by a large team of highly skilled software engineers.
"The really interesting thing here is it seems to be another politically motivated, covert operation," Symantec researcher Liam O Murchu told Ars. "We don't normally see the highest infections in Iran, but we do in this case. Based on that, we're looking at another politically motivated attack, at stealing information, possibly written by a government or government agency."
Iran's Computer Emergency Response Team confirmed the outbreak of Flame in an advisory published Monday
. The United Nation's International Telecommunications Union intends to warn members that Flame represents a dangerous espionage tool that could be used to attack critical infrastructure, Reuters reported Tuesday
The malware was discovered a few weeks ago, in the aftermath of reports that malware known as "Wiper" may have been used to destroy data belonging to Iran's oil ministry
. Kaspersky, in a report published Monday
, said it found evidence showing Flame had managed to remain undetected for at least two years. In their own report
, researchers with Hungary-based CrySyS Lab said the malware, which they are calling sKyWIper, "may have been active for as long as five to eight years, or even more."
The 63-page report contains materials from other researchers and is the result of "an international collaboration," CrySyS researcher Bencsáth Boldizsár told Ars. A third report
was also issued on Monday by Symantec.
At least 20 modules available for the malware bring a menu of highly advanced spying capabilities to the unknown people who control it. One plugin turns on the internal microphone of infected machines so Skype conversations can be secretly monitored in real time. A separate module scans nearby Bluetooth-enabled devices for names and phone numbers stored in contact lists. A third monitors machine activity by taking screenshots every 15 to 60 seconds, depending on whether Outlook or another targeted application is in use, and uses SSL-protected connections to send the images to the attackers. Flame can also sniff traffic passing over local networks to siphon user names, passwords, password hashes, and other sensitive data that attackers can use to further monitor their targets.
On Tuesday afternoon, Kaspersky researchers published a new blog post
that detailed 16 distinct modules. Names including Beetlejuice, Microbe, Infectmedia, and Euphoria were extracted from the binary and compressed resource section that the researchers called "resource 146." Also on Tuesday, BitDefender released 32-bit
software tools that remove the infection.
While Flame and Stuxnet both primarily target sensitive networks in Iran, researchers have so far found few similarities between the code contained in the two malware packages. Those who have analyzed the Flame infection still don't know how the malware initially takes control of computers it infects. Because it has been found to infect fully patched systems running Windows 7, researchers haven't ruled out the possibility that it exploits one or more unknown vulnerabilities in the Microsoft operating system, but it's also possible those machines were commandeered after attackers obtained login credentials for them.
The modular design suggests Flame developers intended it to be a long-term project that could be worked on by huge teams of individuals. The design has the added benefit of allowing programmers to add new capabilities without having to rework or even understand the way other modules run. Changes can be introduced simple updates to add new capabilities or to evade new security products.
Flame also contains some advanced features that were first found in Stuxnet. An infection mechanism that exploits a Windows "Autorun" feature in USB drives is one such example, as is its ability to propagate within local networks by exploiting a Windows print-spool vulnerability Microsoft patched in 2010
. It's not clear if the developers had access to the same advanced vulnerability the Stuxnet architects had or if they simply added similar functionality based on the huge body of research that followed Stuxnet's discovery.
What is clear is that the challenge of designing the software and making sure it remained undetected for years on highly locked down systems is an engineering marvel as impressive as anything Microsoft, Oracle, or Apple has ever accomplished. The code contained about 6,500 lines of Lua scripts alone, researchers from BitDefender said
"It looks to us like somebody who normally writes legitimate software was tasked with writing a piece of malware and they just took the techniques they used in legitimate software and they implemented it in malware," O Murchu said. The combination of code based on the C++ and LUA programming languages and the use of Windows dynamically linked libraries to support SQL databases "also makes their code very organized, very easy to find data."
The fact that the software works as well as it does on such a small number of computers also suggests that huge amounts of debugging and quality assurance work was painstakingly devoted to making sure it worked precisely as it was intended.
The Kaspersky report went on to speculate that Flame and Stuxnet "were probably developed by two separate groups," possibly as a fallback mechanism in the event Stuxnet was detected by the organizations it preyed on.
"Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects—but based on a completely different philosophy," Kaspersky Lab Expert Alexander Gostev wrote. "This way, if one of the research projects is discovered, the other one can continue unhindered."
Gostev said Kaspersky researchers have "counted about a dozen different C&C domains, run on several different servers" and that the malware may use as many as 80 separate domains to contact the channels.