Flame (malware) explained

Fullname:Flame
Aliases:Flamer, sKyWIper, Skywiper
Type:Malware
Author:Equation Group
Os:Windows
Filesize:20 MB
Language:C++, Lua

Flame, also known as Flamer, sKyWIper, and Skywiper,[1] is modular computer malware discovered in 2012[2] [3] that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.[4] [5] [6]

Its discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." Flame can spread to other systems over a local network (LAN). It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time 65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, with a "huge majority of targets" within Iran. Flame has also been reported in Europe and North America.[7] Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent.

Flame is linked to the Equation Group by Kaspersky Lab. However, Costin Raiu, the director of Kaspersky Lab's global research and analysis team, believes the group only cooperates with the creators of Flame and Stuxnet from a position of superiority: "Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."[8]

Recent research has indicated that Flame is positioned to be remembered as one of the most significant and intricate cyber-espionage tools in history. Using a sophisticated strategy, Flame managed to penetrate numerous computers across the Middle East by falsifying an authentic Microsoft security certificate.[9]

In 2019, researchers Juan Andres Guerrero-Saade and Silas Cutler announced their discovery of the resurgence of Flame.[10] [11] The attackers used 'timestomping' to make the new samples look like they were created before the 'suicide' command. However, a compilation error included the real compilation date . The new version (dubbed 'Flame 2.0' by the researchers) includes new encryption and obfuscation mechanisms to hide its functionality.[12]

History

Flame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.[13] As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after one of the main modules inside the toolkit

Notes and References

  1. Web site: Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East . Symantec . 30 May 2012 . https://web.archive.org/web/20120531022507/http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east . 31 May 2012 . live.
  2. News: Flame: Massive Cyber-Attack Discovered, Researchers Say . Dave . Lee . BBC News . 28 May 2012 . 29 May 2012 . https://web.archive.org/web/20120530232458/http://www.bbc.com/news/technology-18238326 . 30 May 2012 . live.
  3. News: Flame: World's Most Complex Computer Virus Exposed . Damien . McElroy . Christopher . Williams . The Daily Telegraph . 28 May 2012 . 29 May 2012 . https://web.archive.org/web/20120530190924/http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame-worlds-most-complex-computer-virus-exposed.html . 30 May 2012 . live.
  4. Web site: sKyWIper: A Complex Malware for Targeted Attacks . 28 May 2012 . . 29 May 2012 . https://web.archive.org/web/20120528142705/http://www.crysys.hu/skywiper/skywiper.pdf . 28 May 2012 . dead.
  5. Web site: Identification of a New Targeted Cyber-Attack . 28 May 2012 . Iran Computer Emergency Response Team . 29 May 2012 . https://web.archive.org/web/20120529114540/http://www.certcc.ir/index.php?name=news&file=article&sid=1894&newlang=eng . 29 May 2012 . dead.
  6. Web site: The Flame: Questions and Answers . Alexander . Gostev . 28 May 2012 . Securelist . 16 March 2021 . https://web.archive.org/web/20120530214156/http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers . live . 30 May 2012.
  7. Web site: Meet Flame, the Nastiest Computer Malware Yet . Murphy, Samantha . 5 June 2012 . Mashable.com . 8 June 2012 . 8 June 2012 . https://web.archive.org/web/20120608082238/http://mashable.com/2012/06/04/flame-malware/ . live .
  8. Web site: Equation: The Death Star of Malware Galaxy . Kaspersky Labs Global Research & Analysis Team . https://web.archive.org/web/20150217214225/https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ . 17 February 2015 . SecureList . none., Costin Raiu (director of Kaspersky Lab's global research and analysis team): "It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."
  9. Munro . Kate . 2012-10-01 . Deconstructing Flame: the limitations of traditional defences . Computer Fraud & Security . 2012 . 10 . 8–11 . 10.1016/S1361-3723(12)70102-1 . 1361-3723.
  10. Web site: Zetter . Kim . Researchers Uncover New Version of the Infamous Flame Malware . 2020-08-06 . . . 9 April 2019 . en.
  11. Web site: . 2019-04-12 . Who is GOSSIPGIRL? . 2020-07-15 . Medium . en . 22 July 2020 . https://web.archive.org/web/20200722082746/https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 . live .
  12. Guerrero-Saade . Juan Andres . Cutler . Silas . Flame 2.0: Risen from the Ashes . 9 April 2019 . . en . 17 May 2024 . 1 June 2023 . https://web.archive.org/web/20230601024518/https://silascutler.com/uploads/Flame_2.0_Risen_from_the_Ashes.pdf . live .
  13. News: Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers . Kim . Zetter . Wired . 28 May 2012 . 29 May 2012 . https://web.archive.org/web/20120530213153/http://www.wired.com/threatlevel/2012/05/flame/ . 30 May 2012 . live.