View
217
Download
1
Category
Preview:
DESCRIPTION
Flame’s Discovery This is not the malware you are looking for
Citation preview
Flame: Modern WarfareMatthew Stratton
What is Flame?
• How it was found
• What are its capabilities
• How it is similar to Stuxnet and Duqu
• Implications
Flame’s Discovery
This is not the malware you are looking for
Kaspersky Labs
• April, 2012• National Iranian Oil Company
infected by an unknown virus• International Telecommunication
Union asked Kaspersky to investigate
• Looked for a virus called “Wiper” but found something much worse
New Malware: Flame
• Kaspersky labs named the new virus “Flame” after the name of one of the prominent modules
Infected
• Most infected computers found in the Middle East
• A few infections found in Europe
Tried and True
• Flame has been in the wild a long time
• Evidence of Flame’s use as far back as August 2010– Avoided detection for 20+ months
• Likely much older, some evidence suggests earlier versions as early as 2007
Flame’s Capabilities
Spy in a Box
What is Flame
• Sophisticated attack toolkit: backdoor, trojan, worm
• Avoids detection• Modular:
– Small infection module downloads extra modules once it compromises a system
– With all known modules: ~20 MB in size– Wiper may be a Flame module
Infect
• Signed by fraudulent certificate supposedly from Microsoft Enforced Licensing Intermediate PCA certificate authority
• Infection module will modify itself to avoid antivirus detection
• Large size makes it hard to determine that Flame is doing anything malicious
Gather
• Once a machine is infected, attack modules downloaded from C&C server depending on the target system
• Sniff network traffic and gather information on Bluetooth devices in range– Could lead to customized attacks in the
future
Gather
• Take screenshots when “interesting” applications are running
• Turn on built in mic and record audio conversations
• Key logger• Record Skype conversations• Gather local files stored on computer,
including info from databases
Spread
• On command of the operator (C&C server)
Notorious Similarities
Stuxnet and Duqu
Stuxnet and Duqu
• Sophistication• Exploit same vulnerabilities
– Print spooler– USB infection methods– Not seen anywhere else
Different Developers
• Different programming language• Different software architecture• Hypothesis:
– Developed in parallel with Stuxnet and Duqu by different teams
– Access to same database of vulnerabilities
– Both commisioned by same group
Implications
The Dawn of Cyber Warfare
Cyber Warfare
• "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."
• Developed by a nation state– Complexity– Goals– Targets
Creators
• Leaked documents and inside sources claim it was a project started by George W. Bush and continued by President Obama– Olympic Games– Developed with Israel
• No one has openly claimed responsibility
Fin
• Finding Flame
• Flame’s functionality
• Connections to Stuxnet and Duqu
• Implications: Cyber Warfare
Questions?
Recommended