Unless you’ve been off the interwebs this weekend, the big news is Kaspersky’s recent discovery of potentially the next Stuxnet and Duqu. Named Flame … it’s being called an “industrial vacuum cleaner” based on its data collection activities. Kaspersky discovered Flame as part of its Skywiper analysis associated with compromised computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company. Although Flame’s goals are quite different from Stuxnet and more inline with Duqu, it’s made a massive impact across the Middle East and Eastern Europe.
(Updated 5/29 @ 2:45)
Here are some of the notes I’ve collected so far.
- Kaspersky was looking into another piece of malware called Skywiper when the ran into Flame. It is currently unknown if these two pieces of software are related. News outlets and security firms seem to be reporting differently so there’s lots of confusion over this fact. For example, McAfee is using the SkyWiper nomenclature while Symantec is referencing to it as Flamer.
- The name Flame was based on the term of one of the main modules. Some AV vendors have come up with other ingenious names for this new piece malware (e.g., Flamer … really, did they even have to go there).
- The attack origin is unknown however since this isn’t the normal hactivist or “cyber crims” (tx @isdpodcast) type of activity, many researchers are pointing to someone at a nation-state level. Based on the targets of course Westerners are getting blamed … with possible authors identified as either an intelligence agency or military. As noted by @damami “Attribution is also a fundamental challenge.”
- Flame seems to have been around for about 2 years. It’s currently in it’s active phase of vacuuming up data. Now if Flame is the same as SkyWiper, then it “may have been active for as long as five to eight years” according to CrySys’s report.
- No AV products were able to initially detect Flame. Yeah, I expected this for the “signature” aspect of AV but I wonder what happened to heuristic scanning/behavior detection methods. With the amount of data this beast was exfiltrating, you think that would have tripped something. Hey, maybe AV is dead. 😉
- Kaspersky discovered more than 600 targets, ranging from individuals to governments. Most were concentrated in the Middle East and Eastern Europe, including Iran, West Bank, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. The “network” also includes at least ten C&C servers distributed around the world that collected the vacuumed data.
- With all modules loaded Flame weighs in at about 20M. This is about 20x larger than Stuxnet. Based on file size researchers have estimated a full analysis could take up to 10 years.
- Flame appears to be collecting huge volumes of data from compromised systems. So far this information has included network traffic, screenshots, audio, and key logging.
- Removal tools seem to be popping up although I think the vast majority of us aren’t affected. So far I’ve come across BitDefender’s.
This news is still a developing story so here are a few more great resources to read up on.
General News Sites with Overviews
- New Massive Cyber-Attack an ‘Industrial Vacuum Cleaner for Sensitive Information’ – Forbes.com
- Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers – Wired.com
- Flame: Massive cyber-attack discovered, researchers say – BBC.com
- New cyber weapon targets systems in the Middle East – Net-Security.org
- Complex cyberwar tool ‘Flame’ found ALL OVER Middle East – TheRegister.co.uk
Research Sites with More Technical Detail
- Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East – Symantec.com (nice timeline, geographic attack pic, and a detailed break down of its components)
- Identification of a New Targeted Cyber-Attack – Iran National CIRT (the original alert that went out)
- sKyWIper: A Complex Malware for Targeted Attack (PDF) – CrySyS.hu (very good writeup on the topic)
- The Flame: Questions and Answers – SecureList.com
I’ll be continuing to update this post as I come across any new info. Very interesting overall…
Today’s post pic is from BBC.com. See ya!