Flame: Modern WarfareMatthew Stratton

What is Flame?

• How it was found

• What are its capabilities

• How it is similar to Stuxnet and Duqu

• Implications

Flame’s Discovery

This is not the malware you are looking for

Kaspersky Labs

• April, 2012• National Iranian Oil Company

infected by an unknown virus• International Telecommunication

Union asked Kaspersky to investigate

• Looked for a virus called “Wiper” but found something much worse

New Malware: Flame

• Kaspersky labs named the new virus “Flame” after the name of one of the prominent modules

Infected

• Most infected computers found in the Middle East

• A few infections found in Europe

Tried and True

• Flame has been in the wild a long time

• Evidence of Flame’s use as far back as August 2010– Avoided detection for 20+ months

• Likely much older, some evidence suggests earlier versions as early as 2007

Flame’s Capabilities

Spy in a Box

What is Flame

• Sophisticated attack toolkit: backdoor, trojan, worm

• Avoids detection• Modular:

– Small infection module downloads extra modules once it compromises a system

– With all known modules: ~20 MB in size– Wiper may be a Flame module

Infect

• Signed by fraudulent certificate supposedly from Microsoft Enforced Licensing Intermediate PCA certificate authority

• Infection module will modify itself to avoid antivirus detection

• Large size makes it hard to determine that Flame is doing anything malicious

Gather

• Once a machine is infected, attack modules downloaded from C&C server depending on the target system

• Sniff network traffic and gather information on Bluetooth devices in range– Could lead to customized attacks in the

future

Gather

• Take screenshots when “interesting” applications are running

• Turn on built in mic and record audio conversations

• Key logger• Record Skype conversations• Gather local files stored on computer,

including info from databases

Spread

• On command of the operator (C&C server)

Notorious Similarities

Stuxnet and Duqu

Stuxnet and Duqu

• Sophistication• Exploit same vulnerabilities

– Print spooler– USB infection methods– Not seen anywhere else

Different Developers

• Different programming language• Different software architecture• Hypothesis:

– Developed in parallel with Stuxnet and Duqu by different teams

– Access to same database of vulnerabilities

– Both commisioned by same group

Implications

The Dawn of Cyber Warfare

Cyber Warfare

• "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."

• Developed by a nation state– Complexity– Goals– Targets

Creators

• Leaked documents and inside sources claim it was a project started by George W. Bush and continued by President Obama– Olympic Games– Developed with Israel

• No one has openly claimed responsibility

Fin

• Finding Flame

• Flame’s functionality

• Connections to Stuxnet and Duqu

• Implications: Cyber Warfare

Questions?