Flame: Modern Warfare Matthew Stratton
What is Flame? • How it was found • What are its capabilities • How it is similar to Stuxnet and Duqu • Implications
Flame’s Discovery This is not the malware you are looking for
Kaspersky Labs • April, 2012 • National Iranian Oil Company infected by an unknown virus • International Telecommunication Union asked Kaspersky to investigate • Looked for a virus called “Wiper” but found something much worse
New Malware: Flame • Kaspersky labs named the new virus “Flame” after the name of one of the prominent modules
Infected • Most infected computers found in the Middle East • A few infections found in Europe
Tried and True • Flame has been in the wild a long time • Evidence of Flame’s use as far back as August 2010 – Avoided detection for 20+ months • Likely much older, some evidence suggests earlier versions as early as 2007
Flame’s Capabilities Spy in a Box
What is Flame • Sophisticated attack toolkit: backdoor, trojan, worm • Avoids detection • Modular: – Small infection module downloads extra modules once it compromises a system – With all known modules: ~20 MB in size – Wiper may be a Flame module
Infect • Signed by fraudulent certificate supposedly from Microsoft Enforced Licensing Intermediate PCA certificate authority • Infection module will modify itself to avoid antivirus detection • Large size makes it hard to determine that Flame is doing anything malicious
Gather • Once a machine is infected, attack modules downloaded from C&C server depending on the target system • Sniff network traffic and gather information on Bluetooth devices in range – Could lead to customized attacks in the future
Gather • Take screenshots when “interesting” applications are running • Turn on built in mic and record audio conversations • Key logger • Record Skype conversations • Gather local files stored on computer, including info from databases
Spread • On command of the operator (C&C server)
Notorious Similarities Stuxnet and Duqu
Stuxnet and Duqu • Sophistication • Exploit same vulnerabilities – Print spooler – USB infection methods – Not seen anywhere else
Different Developers • Different programming language • Different software architecture • Hypothesis: – Developed in parallel with Stuxnet and Duqu by different teams – Access to same database of vulnerabilities – Both commisioned by same group
Implications The Dawn of Cyber Warfare
Cyber Warfare • "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption. " • Developed by a nation state – Complexity – Goals – Targets
Creators • Leaked documents and inside sources claim it was a project started by George W. Bush and continued by President Obama – Olympic Games – Developed with Israel • No one has openly claimed responsibility
Fin • Finding Flame • Flame’s functionality • Connections to Stuxnet and Duqu • Implications: Cyber Warfare
Questions?