Kaspersky Lab Monday shared more details about the sophisticated cyber-espionage Flame malware widely believed to be the work of a nation-state, though the security firm isn't venturing yet to say what country that might be.
Kaspersky Lab is working with OpenDNS to investigate Flame malware tied most closely to cyber-espionage against Iran and Lebanon, and today both companies described what has been found in a week of investigation of Flame command and control (C&C) servers around the world. These servers are being "sinkholed" slowly to cut off ties between the C&C server and Windows-based computers infected with Flame malware, which spies on computer use and can upload content back to Flame's C&C operators.
The Flame cyber-espionage botnet has one of the most elaborate and carefully constructed C&C structures ever identified, according to Roel Schouwenberg, senior research at Kaspersky Lab, who joined with Dan Hubbard, CTO at OpenDNS, to discuss the latest discoveries made since a week ago, when Kaspersky's announcement about the malware apparently caused Flame's C&C operators to suddenly drop offline.
However, Flame appears to be updating itself to possibly reconstitute its capabilities, Schouwenberg warns.
"Flame's goal is cyber-espionage," says Schouwenberg, noting it's "hiding in plain sight," and "there may be a cyber-sabotage component to it."
Flame can send up stolen information in 80 kilobyte chunks, and Flame's operators want to steal PDF files, Office documents and AutoCad files, such as mechanical and building designs. He notes, "Whitelisting technologies would have definitely blocked Flame." Whitelisting prevents unauthorised applications from running on computers. Flame is Windows-based and there doesn't seem to be a Linux component for Flame, Schouwenberg says.
"The Flame command control is unlike anything we've ever seen before," Schouwenberg says. Flame has had more than 80 domains registered for servers that have been identified in far-flung places, from India to Belgium to the Netherlands to Switzerland. The Flame C&C servers do not appear to be based on hacked servers, and domain registrations use fake names that appear to be registered carefully by hand to hotels, shops and doctors' offices, for example, with most of the phony domain registrations registered under fake names for Germany and Austria, but there's no known reason why. These domains and locations associated with Flame registrations are not historically connected with "bad actors and bad neighborhoods," Hubbard points out.
The researchers acknowledge there is still a lot they don't know about Flame because they think they still need to find additional Flame modules to get a bigger picture of what's going on. There's also evidence Flame is updating itself to find alternate C&C paths and has a sophisticated backup operation. So far, there are 196 known victims of Flame in Iran, 54 in Palestine, 48 in Israel, 33 in Sudan, 31 in Syria, and others elsewhere, including 10 in the U.S. The numbers haven't changed a lot from a week ago, Kaspersky says. About 45 of the victims in Iran have had Flame sinkholed to protect against it, as well as 21 in Lebanon and eight in the U.S., among a few others.
Another technical aspect about Flame coming into view is that Microsoft yesterday announced a flaw in its certificate-registration process that appears to have been exploited for purposes of Flame. Kaspersky Lab says it's still seeking to find out more about this and declined to comment on it.
Microsoft on Sunday issued security advisory 2718704 and a related post by engineering staffer Jonathan Ness to notify Microsoft customers that "unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft root authority."
This all appears to have a bearing on the Flame malware, Microsoft says.
Microsoft says it has revoked three of these certificates associated with the Flame malware by putting them into the "Windows Untrusted Certificate Stores," and "we have also discontinued issuing certificates usable for code signing via the Terminal Services activation and licensing process."
Sometimes use of digital certificates has been by those designing malware to better hide from antivirus software.
Microsoft says it found a flaw in its Terminal Services licensing certification authority process that "when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft's internal PKI infrastructure."
Microsoft says most antivirus software today will recognize, block and eradicate the Flame malware, but Microsoft is taking the steps it did yesterday to revoke the Terminal Services digital issuance because it's concerned some of the techniques used by Flame could also be "leveraged by less sophisticated attackers to launch more widespread attacks."
In a column for Wired on June 1, Mikko Hypponen, chief research officer for F-Secure, says his company failed to identify Flame as malware even though the software ended up in an F-Secure code archive back in 2010 and 2011. F-Secure's system hadn't flagged it as something dangerous. This may be because Flame was artful in making itself look like a business database system. Hypponen says Flame represented a "failure of the anti-virus industry," adding, "We were out of our league, in our own game."