Flame Modern Warfare Matthew Stratton What is

Flame: Modern Warfare Matthew Stratton

What is Flame? • How it was found • What are its capabilities • How it is similar to Stuxnet and Duqu • Implications

Flame’s Discovery This is not the malware you are looking for

Kaspersky Labs • April, 2012 • National Iranian Oil Company infected by an unknown virus • International Telecommunication Union asked Kaspersky to investigate • Looked for a virus called “Wiper” but found something much worse

New Malware: Flame • Kaspersky labs named the new virus “Flame” after the name of one of the prominent modules

Infected • Most infected computers found in the Middle East • A few infections found in Europe

Tried and True • Flame has been in the wild a long time • Evidence of Flame’s use as far back as August 2010 – Avoided detection for 20+ months • Likely much older, some evidence suggests earlier versions as early as 2007

Flame’s Capabilities Spy in a Box

What is Flame • Sophisticated attack toolkit: backdoor, trojan, worm • Avoids detection • Modular: – Small infection module downloads extra modules once it compromises a system – With all known modules: ~20 MB in size – Wiper may be a Flame module

Infect • Signed by fraudulent certificate supposedly from Microsoft Enforced Licensing Intermediate PCA certificate authority • Infection module will modify itself to avoid antivirus detection • Large size makes it hard to determine that Flame is doing anything malicious

Gather • Once a machine is infected, attack modules downloaded from C&C server depending on the target system • Sniff network traffic and gather information on Bluetooth devices in range – Could lead to customized attacks in the future

Gather • Take screenshots when “interesting” applications are running • Turn on built in mic and record audio conversations • Key logger • Record Skype conversations • Gather local files stored on computer, including info from databases

Spread • On command of the operator (C&C server)

Notorious Similarities Stuxnet and Duqu

Stuxnet and Duqu • Sophistication • Exploit same vulnerabilities – Print spooler – USB infection methods – Not seen anywhere else

Different Developers • Different programming language • Different software architecture • Hypothesis: – Developed in parallel with Stuxnet and Duqu by different teams – Access to same database of vulnerabilities – Both commisioned by same group

Implications The Dawn of Cyber Warfare

Cyber Warfare • "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption. " • Developed by a nation state – Complexity – Goals – Targets

Creators • Leaked documents and inside sources claim it was a project started by George W. Bush and continued by President Obama – Olympic Games – Developed with Israel • No one has openly claimed responsibility

Fin • Finding Flame • Flame’s functionality • Connections to Stuxnet and Duqu • Implications: Cyber Warfare

Questions?