The Flame Trojan
A puzzle piece in the cyberwar between governments?
Flame is a piece of malware that was not reported in the media until May 2012, when it became a hot topic for discussion. What's hot about it: This malicious "virtual flame" is said to have been active and infecting computer systems in the Middle East for several years now. Both the complexity and functionality of the newly discovered malware are remarkable, and the author remains unknown, though many assume that it is an attack organized by an as yet unidentified government. In the following article, we will explain to you how this trojan has managed to infect several thousands of computers and to what extent you are at risk as a private user.
It is primarily spread through a loophole in Windows
The authors of Flame don't rely on only one way of spreading their malware, but have instead given their creation several abilities. Aside from the typical use of new security flaws (zero-day attacks via exploits), this spyware has also attracted attention for using fake Microsoft certificates via one of the core components of the OS: Windows Update.
Flame intercepts a Windows Update request and redirects it towards an infiltrated computer. The innocent user installs the malicious software themselves. The strategy behind this attack is known as "Man in the middle" and is difficult to ward off. The loophole involves the use of an out-of-date encryption method that has since been enhanced and will be made even more secure in the future according to Microsoft.
As the Windows Update process has remained much the same over a number of versions of Windows, Flame was not only able to infect one particular Microsoft OS, but all current versions. The update itself pretended to be an inconspicuous operation that would install gadgets on the desktop. It is doubtful whether Flame can be prevented from spreading by closing this vulnerability. According to the fake signature this method has been in use since 2010/11, and the trojan has several ways of infecting systems.
The Flame attack targets the Middle East
Investigations have only just begun, so knowledge is somewhat limited. What is known so far is that the malware is able to read data and passwords, to eavesdrop on conversations using installed microphones and detect near-by bluetooth devices. Basically everything any good spyware should be able to do.
What is interesting, though, is the fact that Flame has only been discovered on a few hundred computers in important companies and government organizations, in Iran and Syria in particular. This may substantiate the suspicions that the malware was and still is being developed under orders of a government. The latest information has shown that files sent from infected computers were mainly PDF and Office files as well as engineering drawings. This may be just another piece of evidence pointing to it being a targeted long-term spy attack.
Flame may be part of the US cyber arsenal
Israel was wrongly accused of being responsible for the trojan, but there have recently been new facts coming to light that hint at a completely different direction. As early as 2010, the worm Stuxnet attracted some attention when it infected Siemens' control systems. This target may sound quite uninteresting – but not when you see what institution was the initial goal of Stuxnet.
Until the end of September 2010, most of the instances of infected computers took place in Iran. As if this was not already bad enough, there were unscheduled disturbances within the Iranian nuclear program; this may suggest that Stuxnet was supposed to attack the control system of the uranium enrichment plant in Natanz and the Bushire nuclear plant. Cyberwar is therefore no longer simply science fiction, but is in fact in full swing in the real world.
The creator of Stuxnet is also unknown. David E. Sanger, Washington correspondent of New York Times recently published a book claiming that using Stuxnet was ordered by none other than Barack Obama himself. According to Sanger, the US president continued the program known as "Olympic Games", initiated by his predecessor in office George W. Bush, as one of several cyber attacks on Iran when he first came into office.
It was not before June 10th, 2012 that security experts noticed striking similarities between two modules that are not only used for Stuxnet, but also for Flame. Both malicious programs were considered quite different at that time, but the detected module could hint at the US being the one responsible for both.
Malware with self-destruction mechanism
If you have a closer look at some of Flame's technical features, it is clear that it's not exactly aimed at infecting as many systems as possible. Malware is usually designed to be small and efficient in order to infect as many computers as possible without being noticed. Flame's structure, however, is modular, and most detected specimens were about 20-25 MB in size. This is surprisingly large for malware and anything but easy to hide. The more code and functions, the more likely it is that heuristics scanners or behavior analysis will detect it.
But this was also taken care of with Flame: Just as a real spy would do, a virtual poison pill was sent to infected computers by Flame's control servers last week. Flame was thus supposed to uninstall itself as if the program were committing suicide. And this was at the time when news of the attack started spreading through the media like wildfire. The aim may have been to leave no trace or evidence of itself whatsoever – quite uncommon with conventional malware that the user usually removes at some point.
What is the risk for private users?
Good news first: Regular PC users do not seem to be the trojan's prime target. There have been no infections in the US or in Europe so far. The attacks are directly aimed at some Middle-Eastern countries and even there not at individuals. You can therefore use the Internet for private as well as business purposes without too much worry.
However, all these cyperspace incidents should urge internet users to act with caution. Where necessary, it is not only the US who will resort to online weapons. Germany also caused a stir with the Federal Trojan, and one should act on the assumption that many more countries run similar programs. We therefore recommend using Emsisoft Anti-Malware - its powerful dual-engine scanner combined with behavior analysis are able to detect and block even unknown malware. We have not heard of any Flame variant yet that was able to dupe Emsisoft Anti-Malware's behavior analysis.
Have a nice (malware-free) day!
Your Emsisoft Team