Given that this has been out in the wild for at least a couple of years now, what’s lurking out there that’s even bigger than “Flame” and even less suspected and less understood? Look at the below Virus alert from Kaspersky Lab.
Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat
“Kaspersky Lab announces the discovery of a highly sophisticated malicious program that is actively being used as a cyber weapon attacking entities in several countries. The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date.
“The malware was discovered by Kaspersky Lab’s experts during an investigation prompted by the International Telecommunication Union (ITU). The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab’s security products, is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
“The independent research was initiated by ITU and Kaspersky Lab after a series of incidents with another, still unknown, destructive malware program – codenamed Wiper – which deleted data on a number of computers in the Western Asia region. This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in coordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been “in the wild” for more than two years – since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it.
“Although the features of Flame differ compared with those of previous notable cyber weapons such as Duqu and Stuxnet, the geography of attacks, use of specific software vulnerabilities, and the fact that only selected computers are being targeted all indicate that Flame belongs to the same category of super-cyberweapons….”
“The Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
“According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
“Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
“Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
“The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
Flame includes a piece of code (about 3000 lines) written in LUA, a not so common occurrence for malware;
Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
“Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
“With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage….”
(((What do you imagine the guys who are running this thing are doing right now? What do you do when you know your spy malware is compromised: try to shut it all down and lie low, or turn up the amps to 11 and try and grab every scrap that you can?)))
(((Even more, and it’s clear that there’s gonna be lots of this; if Stuxnet was a monster, this thing is a monster times twenty. What’s more, it looks like Stuxnet, Duqu and Flame all come from the same awesome malware-foundry. There is no way those maestros of cyberwar have been sitting on their hands for the last five years. So what have they rolled out more recently?)))
(((A school of thought has arisen that says that “Flame” isn’t technically a “cyberweapon” because “Flame” doesn’t blow stuff up. Flame is just espionage, and not cyberwarfare, in other words. Well, I can take the point there, but Stuxnet DID blow stuff up, or at least ruin atomic centrifuges beyond repair; and Flame is apparently built by the same weapon shop. Furthermore, the Iranians claim that big heaps of their data have been mysteriously erased by a nifty plug-in module of “Flame,” aka “Flamer,” aka “Skywiper.” I don’t think the Iranians much wanted their data to be “Skywiped.” Imagine if you were, say, France, and you woke up one morning to find out that the networks of some nuclear military contractor had been “skywiped.” You wouldn’t call that “espionage,” would you? Let’s not be disingenuous.)))
“According to file naming conventions, propagation methods, complexity level, precise targeting and superb functionality, it seems that there is a close relation to the Stuxnet and targeted attacks. The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat. A list of the major infection components of this malware is presented below; these samples would be available for security.”
(((What a beast!)))
(((Yike and double yike, and we’re just getting started.)))
(((I often wondered why the Stuxnet hackers weren’t leaking and bragging about their superb achievement… Well, that would have been like bragging about your Volkswagen when you had a private space-rocket waiting on the launchpad.)))
Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload
A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.
The malware, which steals system information but also has a mysterious payload that could be destructive against critical infrastructure, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.
The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.
The discovery appears to add to the steadily growing arsenal of malware created by the U.S. and Israeli governments. That list includes the groundbreaking Stuxnet cyberweapon that is believed to have infiltrated and caused physical damage to Iran’s uranium enrichment program, as well as the spyware tools known as Flame and DuQu. But Gauss marks the first time that apparently nation-state-created malware has been found stealing banking credentials, something that is commonly seen in malware distributed by criminal hacking groups.
The varied functionality of Gauss suggests a toolkit used for multiple operations.
“When you look at Stuxnet and DuQu, they were obviously single-goal operations. But here I think what you see is a broader operation happening all in one,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.
The researchers don’t know if the attackers used the bank component in Gauss simply to spy on account transactions, or to steal money from targets. But given that the malware was almost certainly created by nation-state actors, its goal is likely not to steal for economic gain, but rather for counterintelligence purposes. Its aim, for instance, might be to monitor and trace the source of funding going to individuals or groups, or to sabotage political or other efforts by draining money from their accounts.
While the banking component adds a new element to state-sponsored malware, the mysterious payload may prove to be the most interesting part of Gauss, since this part of the malware has been carefully encrypted by the attackers and so far remains uncracked by Kaspersky.
The payload appears to be highly targeted against machines that have a specific configuration — a configuration used to generate a key that unlocks the encryption. So far the researchers have been unable to determine what configuration generates the key. They’re asking for assistance from any cryptographers who might be able to help crack the code.
“We do believe that it’s crackable; it will just take us some time,” says Schouwenberg. He notes that using a strong encryption key tied to the configuration illustrates great efforts by the attackers to control their code and prevent others from getting a hold of it to create copycat versions of it, something they may have learned from mistakes made with Stuxnet.
According to Kaspersky, Gauss appears to have been created sometime in mid-2011 and was first deployed in September or October of last year, around the same time that DuQu was uncovered by researchers in Hungary. DuQu was an espionage tool discovered on machines in Iran, Sudan, and other countries around August 2011 and was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques. Flame and Stuxnet also shared a component, and now Flame and Gauss have been found to be using similar code as well.
Kaspersky discovered Gauss only this last June, while looking for variants of Flame.
Kaspersky had uncovered Flame in May after the UN’s International Telecommunciations Union asked the company to investigate claims out of Iran that malware had struck computers belonging to the oil industry there and wiped out data. Kaspersky never found malware that matched the description of the code that attacked the oil industry computers, but did find Flame, a massive and sophisticated espionage toolkit that has multiple components designed to conduct various kinds of espionage on infected systems. One module takes screenshots of e-mail and instant-messaging communications, while other modules steal documents or turn on the internal microphone on a computer to record conversations conducted via Skype or in the vicinity of an infected system.
As the researchers sifted through various samples of malware identified as Flame by their anti-virus scanner, they found samples of Gauss that, upon further inspection, used some of the same code as Flame but differed from that malware. Gauss, like Flame was programmed in C++ and shares some of the same libraries, algorithms and code base.
The authors of the malware neglected to scrub path and project data from some of the modules, so the researchers were able to glean the names of project files the attackers appear to have given their code. They found, for example, a pathway for a file named “gauss_white_1? as it had been stored on the attackers’ machine under a directory called “flamer.”
Pathways left in the code by the attackers show what appear to be the names of files the attackers used in designing their malware. Courtesy of Kaspersky Lab
Kaspersky suggests that “white” in the file name may refer to Lebanon, a name said to be derived from the Semitic root letters “lbn,” which are also the root letters for “white.” Although in Arabic — a Semitic language — white is “abayd,” in Hebrew — also a Semitic language — the word for white is “lavan,” which comes from the root letters “lbn.”
More than 2,500 systems in 25 countries have been infected with Gauss, based on data Kaspersky gleaned from infected customer machines, and at least 1,660 of those have been in Lebanon. Kaspersky notes, however, that these figures only represent its own customers who have been infected.
Extrapolating from the number of infected Kaspersky customers, they speculate that there may be as many as tens of thousands of other victims infected with Gauss.
By comparison, Stuxnet infected more than 100,000 machines, primarily in Iran. DuQu infected an estimated 50 machines, but was not geographically focused. Flame is estimated to have infected about 1,000 machines in Iran and elsewhere in the Middle East.
Graphic showing the various distribution of infections by Stuxnet, DuQu, Flame and Gauss. Courtesy of Kaspersky Lab
Aside from 1,660 infections in Lebanon, 482 are in Israel and 261 are in the Palestinain territories, and 43 are in the U.S. Only one infection has been found in Iran. There is no sign that Gauss targeted specific organizations or industries, but instead appears to target specific individuals. Schoenwenberg said, however, that his team does not know the identities of victims. The majority of victims infected by Gauss use the Windows 7 operating system.
Like Flame, Gauss is modular, so that new functionality can be swapped in and out, depending on the needs of the attackers. To date, only a few modules have been uncovered — these are designed to steal browser cookies and passwords, harvest system configuration data including information about the BIOS and CMOS RAM, infect USB sticks, enumerate the content of drives and folders, and to steal banking credentials as well as account information for social networking accounts, e-mail and instant messaging.
Gauss also installs a custom font called Palida Narrow, the purpose of which is not known. The use of a custom font designed by the malware authors is reminiscent of DuQu, which used a font called Dexter fabricated by its creators to exploit victim machines. Kaspersky has found no malicious code in the Palida Narrow font files and has no idea why it’s in the code, though the font contains Western, Baltic and Turkish symbols.
Gauss’s primary module, which Kaspersky refers to as the mother ship, appears to have been named after German mathematician Johann Carl Friedrich Gauss. Other modules of the malware appear to have been named after mathematicians Joseph-Louis Legrange and Kurt Godel.
The Gauss module is about 200K in size. With all of the plugins found so far, Gauss measures 2MB, much smaller than the 20MB Flame with all of its modules.
Researchers do not yet know how the main Gauss module first gets onto systems, but once on a system, it injects into the browser in order to steal cookies and passwords. Another module loads an exploit onto any USB sticks inserted into the system thereafter. The exploit dropped to the USB stick is the same .lnk exploit that Stuxnet used to spread to systems. Microsoft has since patched the .lnk exploit, so any system Gauss infects with this exploit would be ones that have not been updated with that patch.
Once an infected USB stick is inserted into another system, it has two roles – to gather configuration information about the system and to deliver the encrypted payload.
The configuration data it collects includes information about the operating system, network interfaces and SQL servers. It stores this data in a hidden file on the USB stick. When the USB stick is later inserted into another system that has the main Gauss module installed on it and that is connected to the internet, that stored configuration data is sent to the attacker’s command-and-control servers. The USB exploit is set to gather data only from 30 machines, after which it deletes itself from the USB stick.
Schoewenberg says the USB module appears to be aimed at bridging an airgap and getting the payload onto systems that are not connected to the internet, as it had been used previously to get Stuxnet onto industrial control systems in Iran that were not connected to the internet.
As noted, the payload is only unleashed on systems that have a specific configuration. That specific configuration is currently unknown, but Schoewenberg says it has to do with paths and files that are on the system. This suggests that the attackers have extensive knowledge about what is on the target system they are seeking.
The malware uses that configuration to generate a key to unlock the payload and unleash it. Once it finds the configuration it’s looking for, it uses that configuration data to perform 10,000 iterations of MD5 to generate a 128-bit RC4 key, which is then used to decrypt the payload.
“Unless you meet these specific requirements, you’re not going to generate the right key to decrypt it,” Schoewenberg says.
Researchers had criticized Stuxnet’s creators because that malware was not better controlled by the attackers. Stuxnet left a backdoor on infected machines that would have allowed anyone to take control of the infected machines. Its payload was also not obfuscated as strongly as it could have been, allowing others to reverse-engineer the code and create copycat attacks from it.
“I definitely think these guys really learned their lesson from Stuxnet in looking at how all that stuff went down,” Schoewenber says. “This approach is really very smart. This means it buys them more time, because it will take people longer to figure out what is happening, and indeed this will become effectively impossible for copycats…. The security industry will have the code, but it won’t be out there for the average cybercriminal…. They’re definitely trying to prevent copycats from just copy-pasting.”
Though he says there’s no evidence that Gauss is targeting industrial control systems, as Stuxnet did, the fact that the payload is the only part of the code that is encrypted so strongly, “really makes one wonder what is so special that they have gone through all that trouble. It must be something important…. So we are definitely not ruling out the possibility that we will find a destructive payload targeting industrial control machines.”
Gauss uses seven domains to gather data from infected systems, but all five of the servers behind the domains went dark in July before Kaspersky was able to investigate them. The domains were hosted at various times in India, the U.S. and Portugal.
Researchers have not found any zero-day exploits used by Gauss but caution that since they still have not found how Gauss first infects systems, it’s too early to rule out the use of zero-days in the attack.