First Stuxnet, now meet Flame.

from JoeUser Forums

 

Kaspersky has reported discovering a really super piece of spyware after being requested to investigate suspected malware causing information loss at the Iranian oil refinery/depot. They believe it’s been around since August 2010.

Photocredit: Kaspersky Labs

The countries affected appear to be Israel, Iran, Sudan, Syria, Lebanon and Saudi Arabia.

 

There are three classes of malware/spyware producers:  Hacktivists, cybercriminals and nation states. The backtracking and identification of the targets yields the suspicion of just who and what group he/she/they belong to.

In this case, there’s no doubt some nation state is responsible…. based on the targets, sophistication of the attack and research needed to produce such software. I’m betting the NSA.

This spyware takes pictures of emails every time an email program is opened, and if a conversation is going on near a computer with a microphone, it compresses and sends the conversation. It appears to be an information only tool, not designed to damage the systems it resides on.

Stuxnet was simple minded compared to this one. Flame is like a tool kit which can go after whatever the sender wants, since after initial infection, additional modules can be added like plugins to a browser. Apparently there are more than twenty such modules in its full library. I read hints of this in the past (and there being five such modules), about the time I brought Duqu to your attention. At that time, Flame hadn’t been differentiated from Duqu publicly.

Flame appears to have infected over 600 very specific targets. So don’t worry, I doubt yours is on the list.

There will be many more interesting developments in this story, and as they come up, I’ll try my best to keep you all abreast.

Update (6/5/2012): It now appears that the Flame/Skywiper virus/Trojan exploited a 'hole' in an MS program to disguise itself as the program to grab blueprints and specs of the Iranian-Russian reactors, as well as take pictures of and the communications of those using those specs, and more.

Source:

http://www.bbc.com/news/technology-18238326

http://www.wired.com/threatlevel/2012/05/flame/ – Much more comprehensive history and analysis.

Update:  http://www.israelnationalnews.com/News/News.aspx/156557#.T83nxTyjN8E

35,908 views 17 replies
Reply #1 from GalCiv2 Forums Top

What's weird is that this thing doesn't appear to be aimed at a particular geopolitical bloc: Iran and Israel are affected, along with Saudi Arabia (a major US ally in the region), Sudan and Syria (rogue and unstable, to different degrees), and Lebanon (stable, but hosts a lot of anti-Israeli sentiment). Seeing as the US's adventures into digital tactics have been somewhat... underwhelming in the past, it's possible (although I don't think very likely) that they created something like this and then ended up spreading it far wider than they had originally intended. However, it's possible this is a hacktivist attack that has something to do with the Arab Spring, a general attempt by some country to spread chaos, or -most likely- a very well-put-together cybercrime operation- even though money was not directly taken, this information would have a lot of value, and it cut a very wide swath through the region.

Reply #2 from WinCustomize Forums Top

More about gathering information about who's saying what to whom. The U.S. would seem to me to be the most likely to have done it.

WindowBlinds - Free yourself of the default settings, customize your desktop.
Reply #3 from GalCiv2 Forums Top

Likely in terms of motivation, possibly, assuming they didn't intend for it to be as wide-reaching as it was. But the most sophisticated cyberattack in history coming from these guys seems unlikely, especially given that the US has little to no history of doing anything in that arena before (the religious references in the Stuxnet file names suggest it was at least masterminded by Israel if not actively developed there).

Reply #4 from JoeUser Forums Top

Notice the 2 names for 1 of the targets.  And I don't mean Saudi Arabia.

Reply #5 from WinCustomize Forums Top

Yes... well, didn't want to turn this "political", but there really aren't anything but terror links in that entity which are worthy as intelligence targets.

Certainly nothing of any scientific or technological or military value.... as opposed to the other "entity".

Reply #6 from JoeUser Forums Top

Just thought it was "interesting."

Reply #7 from WinCustomize Forums Top

It is... and you were spot on for noticing.

Reply #8 from WinCustomize Forums Top

Update 1:


The Israeli Vice PM Moshe Ya'alon was quoted in an interview:

"Israel has been blessed with a prolific hi-tech sector that opens possibilities in both the business and security fields,” said an enigmatic Strategic Affairs Minister Moshe Ya’alon Tuesday morning, responding to a question as to whether Israel could be behind the sophisticated computer virus “Flame.”

http://www.timesofisrael.com/yaalon-on-flame-virus-the-west-is-using-all-the-means-at-its-disposal-to-prevent-a-nuclear-iran/

The article went on to say, (and paraphrase Ya'alon) that:

"...several Western countries that possess advanced technologies and see a nuclear Iran as a significant threat could be behind the large-scale cyber attack that infiltrated thousands of computer systems in Iran and across the Middle East.

“Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it,” he said.

Ya’alon agreed with experts’ estimates that only a state could possess the resources necessary to develop such an advanced cyber weapon and noted that Western countries were doing all they could to prevent Iran from developing a nuclear weapon."

Reply #10 from WinCustomize Forums Top

Obama order sped up wave of cyber attacks against Iran

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=3&pagewanted=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all

Stuxnet was developed the US and 'escaped' ...

'“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.'

X|

Reply #12 from JoeUser Forums Top

Quoting DrJBHL, reply 2
More about gathering information about who's saying what to whom. The U.S. would seem to me to be the most likely to have done it.
End of DrJBHL's quote

Actually any Western European country.  America is the prime suspect because we are number 1.  But the bug seems to be ham handed, so that indicates a less sophisticated approach.

Reply #13 from JoeUser Forums Top

Dr. Guy, wouldn't that just mean it was government programmers who made it? :D

Reply #14 from JoeUser Forums Top

Quoting Jythier, reply 13
Dr. Guy, wouldn't that just mean it was government programmers who made it?
End of Jythier's quote

:grin:

After I wrote my comment, I thought some might take it the wrong way - ham handed.  What I meant by that is had the US made it, it would have been tight and focused, not scatter shot.    That a government may have done it is probably right.  But It does not look like a top tier intelligence agency, rather a smaller one hoping to pick up anything.

Reply #15 from WinCustomize Forums Top

Quoting Dr, reply 14
It does not look like a top tier intelligence agency, rather a smaller one hoping to pick up anything.
End of Dr's quote

Where is that coming from? Is there a reference? 

 

Reply #16 from WinCustomize Forums Top

Quoting Dr, reply 14
  What I meant by that is had the US made it, it would have been tight and focused, not scatter shot.
End of Dr's quote

 

Maybe this has been done deliberately, to move focus away from the obvious suspects.

Reply #17 from JoeUser Forums Top

Can't ignore pretzel logic, you know.  :-"