Flame (malware)

Flame,^{[lower-alpha 1]} also known as Flamer, sKyWIper,^{[lower-alpha 2]} and Skywiper,^[2] is modular computer malware discovered in 2012^[3]^[4] that attacks computers running the Microsoft Windows operating system.^[5] The program is being used for targeted cyber espionage in Middle Eastern countries.^[1]^[5]^[6]

Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National, Computer Emergency Response Team (CERT),^[5] Kaspersky Lab^[6] and CrySyS Lab of the Budapest University of Technology and Economics.^[1] The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."^[1]

Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.^[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.^[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.^[6]

According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines,^[7] with victims including governmental organizations, educational institutions and private individuals.^[6] At that time 65% of the infections happened in Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt,^[3]^[6] with a "huge majority of targets" within Iran.^[8] Flame has also been reported in Europe and North America.^[9] Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent.^[10]

History

Flame (a.k.a. Da Flame) was identified in May 2012 by MAHER Center of Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.^[7] As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after one of the main modules inside the toolkit [FROG.DefaultAttacks.A-InstallFlame].^[7]

According to Kaspersky, Flame had been operating in the wild since at least February 2010.^[6] CrySyS Lab reported that the file name of the main component was observed as early as December 2007.^[1] However, its creation date could not be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994.^[7]

Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.^[11] At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.^[12] However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware.^[7] Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.^[7]

On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks.^[7] After Flame's exposure in news media, Symantec reported on 8 June that some Flame command and control (C&C) computers had sent a "suicide" command to infected PCs to remove all traces of Flame.^[10]

According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines,^[7] with victims including governmental organizations, educational institutions and private individuals.^[6] At that time the countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.^[3]^[6]

Operation

List of code names for various families of modules in Flame's source code and their *possible* purpose^[1]
Name	Description
Flame	Modules that perform attack functions
Boost	Information gathering modules
Flask	A type of attack module
Jimmy	A type of attack module
Munch	Installation and propagation modules
Snack	Local propagation modules
Spotter	Scanning modules
Transport	Replication modules
Euphoria	File leaking modules
Headache	Attack parameters or properties

Flame is an uncharacteristically large program for malware at 20 megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.^[6]^[13] The malware uses five different encryption methods and an SQLite database to store structured information.^[1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.^[1] The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems.^{[lower-alpha 3]}^[1] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software.^[1] Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.^[13]

Flame is not designed to deactivate automatically, but supports a "kill" function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers.^[7]

Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.^[14] The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft.^[14] A successful collision attack against a certificate was previously demonstrated in 2008,^[15] but Flame implemented a new variation of the chosen-prefix collision attack.^[16]

Compromised Microsoft certificate using the weak MD5 algorithm, and the unintended code-signing usage.
Property	Value
Version	V3
Serial number	3a ab 11 de e5 2f 1b 19 d0 56
Signature algorithm	md5RSA
Signature hash algorithm	md5
Issuer	CN = Microsoft Root Authority,OU = Microsoft Corporation,OU = Copyright (c) 1997 Microsoft Corp.
Valid from	Thursday,10 December 2009 11:55:35 AM
Valid to	Sunday,23 October 2016 6:00:00 PM
Subject	CN = Microsoft Enforced Licensing Intermediate PCA,OU = Copyright (c) 1999 Microsoft Corp.,O = Microsoft Corporation,L = Redmond,S = Washington,C = US
Public key	30 82 01 0a 02 82 01 01 00 fa c9 3f 35 cb b4 42 4c 19 a8 98 e2 f4 e6 ca c5 b2 ff e9 29 25 63 9a b7 eb b9 28 2b a7 58 1f 05 df d8 f8 cf 4a f1 92 47 15 c0 b5 e0 42 32 37 82 99 d6 4b 3a 5a d6 7a 25 2a 9b 13 8f 75 75 cb 9e 52 c6 65 ab 6a 0a b5 7f 7f 20 69 a4 59 04 2c b7 b5 eb 7f 2c 0d 82 a8 3b 10 d1 7f a3 4e 39 e0 28 2c 39 f3 78 d4 84 77 36 ba 68 0f e8 5d e5 52 e1 6c e2 78 d6 d7 c6 b9 dc 7b 08 44 ad 7d 72 ee 4a f4 d6 5a a8 59 63 f4 a0 ee f3 28 55 7d 2b 78 68 2e 79 b6 1d e6 af 69 8a 09 ba 39 88 b4 92 65 0d 12 17 09 ea 2a a4 b8 4a 8e 40 f3 74 de a4 74 e5 08 5a 25 cc 80 7a 76 2e ee ff 21 4e b0 65 6c 64 50 5c ad 8f c6 59 9b 07 3e 05 f8 e5 92 cb d9 56 1d 30 0f 72 f0 ac a8 5d 43 41 ff c9 fd 5e fa 81 cc 3b dc f0 fd 56 4c 21 7c 7f 5e ed 73 30 3a 3f f2 e8 93 8b d5 f3 cd 0e 27 14 49 67 94 ce b9 25 02 03 01 00 01
Enhance key usage	Code Signing (1.3.6.1.5.5.7.3.3) Key Pack Licenses (1.3.6.1.4.1.311.10.6.1) License Server Verification (1.3.6.1.4.1.311.10.6.2)
Authority identifier	Certificate Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.\| Certificate SerialNumber=00 c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40
Subject key identifier	6a 97 e0 c8 9f f4 49 b4 89 24 b3 e3 d1 a8 22 86 aa d4 94 43
Key usage	Digital Signature Certificate Signing Off-line CRL Signing CRL Signing (86)
Basic constraints	Subject Type=CA Path Length Constraint=None
Thumbprint algorithm	sha1
Thumbprint	2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Deployment

Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.^[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices.^[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.^[6]

Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage.^[17] It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".^[18]

Using a technique known as sinkholing, Kaspersky demonstrated that "a huge majority of targets" were within Iran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files.^[8] Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes.^[8]

A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely.^[19]

Origin

On 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel’s military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.^[20]

According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it."^[3] Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers.^[21] After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.^[22]

Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel".^[23] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect". Other commentators named China and the U.S. as possible perpetrators.^[21] Richard Silverstein, a commentator critical of Israeli policies, claimed that he had confirmed with a "senior Israeli source" that the malware was created by Israeli computer experts.^[21] The Jerusalem Post wrote that Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible,^[21] but an Israeli spokesperson later denied that this had been implied.^[24] Unnamed Israeli security officials suggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other Western nations.^[25] The U.S. has officially denied responsibility.^[26]

A leaked NSA document mentions that dealing with Iran's discovery of FLAME is an NSA and GCHQ jointly-worked event.^[27]

Notes

↑ "Flame" is one of the strings found in the code, a common name for attacks, most likely by exploits^[1]
↑ The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware^[1]
↑ MS10-061 and MS10-046

References

↑ ^1.00 ^1.01 ^1.02 ^1.03 ^1.04 ^1.05 ^1.06 ^1.07 ^1.08 ^1.09 ^1.10 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^3.0 ^3.1 ^3.2 ^3.3 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^5.0 ^5.1 ^5.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ ^6.00 ^6.01 ^6.02 ^6.03 ^6.04 ^6.05 ^6.06 ^6.07 ^6.08 ^6.09 ^6.10 ^6.11 Lua error in package.lua at line 80: module 'strict' not found.
↑ ^7.00 ^7.01 ^7.02 ^7.03 ^7.04 ^7.05 ^7.06 ^7.07 ^7.08 ^7.09 ^7.10 Lua error in package.lua at line 80: module 'strict' not found.
↑ ^8.0 ^8.1 ^8.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^10.0 ^10.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^13.0 ^13.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ ^14.0 ^14.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^21.0 ^21.1 ^21.2 ^21.3 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[2] "Flame" is one of the strings found in the code, a common name for attacks, most likely by exploits^[1]

[3] The name "sKyWIper" is derived from the letters "KWI" which are used as a partial filename by the malware^[1]

[16] MS10-061 and MS10-046

[cry-1] 1.00 ^1.01 ^1.02 ^1.03 ^1.04 ^1.05 ^1.06 ^1.07 ^1.08 ^1.09 ^1.10 Lua error in package.lua at line 80: module 'strict' not found.

[4] Lua error in package.lua at line 80: module 'strict' not found.

[Lee-5] 3.0 ^3.1 ^3.2 ^3.3 Lua error in package.lua at line 80: module 'strict' not found.

[McElroy-6] Lua error in package.lua at line 80: module 'strict' not found.

[maher-7] 5.0 ^5.1 ^5.2 Lua error in package.lua at line 80: module 'strict' not found.

[Gostev-8] 6.00 ^6.01 ^6.02 ^6.03 ^6.04 ^6.05 ^6.06 ^6.07 ^6.08 ^6.09 ^6.10 ^6.11 Lua error in package.lua at line 80: module 'strict' not found.

[Zetter-9] 7.00 ^7.01 ^7.02 ^7.03 ^7.04 ^7.05 ^7.06 ^7.07 ^7.08 ^7.09 ^7.10 Lua error in package.lua at line 80: module 'strict' not found.

[BBC46-10] 8.0 ^8.1 ^8.2 Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[del-12] 10.0 ^10.1 Lua error in package.lua at line 80: module 'strict' not found.

[Hopkins-13] Lua error in package.lua at line 80: module 'strict' not found.

[14] Lua error in package.lua at line 80: module 'strict' not found.

[FireEye-15] 13.0 ^13.1 Lua error in package.lua at line 80: module 'strict' not found.

[Ms-17] 14.0 ^14.1 Lua error in package.lua at line 80: module 'strict' not found.

[18] Lua error in package.lua at line 80: module 'strict' not found.

[19] Lua error in package.lua at line 80: module 'strict' not found.

[20] Lua error in package.lua at line 80: module 'strict' not found.

[21] Lua error in package.lua at line 80: module 'strict' not found.

[22] Lua error in package.lua at line 80: module 'strict' not found.

[nakashima2012june-23] Lua error in package.lua at line 80: module 'strict' not found.

[T295-24] 21.0 ^21.1 ^21.2 ^21.3 Lua error in package.lua at line 80: module 'strict' not found.

[25] Lua error in package.lua at line 80: module 'strict' not found.

[26] Lua error in package.lua at line 80: module 'strict' not found.

[27] Lua error in package.lua at line 80: module 'strict' not found.

[28] Lua error in package.lua at line 80: module 'strict' not found.

[29] Lua error in package.lua at line 80: module 'strict' not found.

[30] Lua error in package.lua at line 80: module 'strict' not found.

[lower-alpha 1]

[lower-alpha 2]

[2]

[3]

[4]

[5]

[1]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[lower-alpha 3]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

v t e Hacking in the 2010s
Major incidents	Operation Aurora (2010) Australian cyberattacks (2010) Operation Payback (2010) HBGary Federal (2011) DigiNotar (2011) Operation Tunisia (2011) 2011 PlayStation Network outage (2011) Operation AntiSec (2011) Stratfor email leak (2012–13) LinkedIn hack (2012) South Korea cyberattack (2013) Snapchat hack (2013) Operation Tovar (2014) iCloud leaks of celebrity photos (2014) Sony Pictures Entertainment hack (2014) Office of Personnel Management data breach (2015) Hacking Team (2015) Ashley Madison data breach (2015) VTech data breach (2015) Bangladesh Bank heist (2016) Commission on Elections data breach (2016)
Groups	Anonymous associated events CyberBerkut Bureau 121 Derp GNAA Goatse Security Hacking Team Iranian Cyber Army Lizard Squad LulzRaft LulzSec NullCrew PayPal 14 PLA Unit 61398 RedHack Syrian Electronic Army TeaMp0isoN Tailored Access Operations UGNazi Yemen Cyber Army
Individuals	George Hotz Guccifer Hector Monsegur Jeremy Hammond Junaid Hussain Kristoffer von Hassel Mustafa Al-Bassam Ryan Ackroyd Topiary The Jester weev
Vulnerabilities discovered	Heartbleed (2014) Shellshock (2014) POODLE (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016)
Malware	Careto / The Mask CryptoLocker Dexter Duqu FinFisher Flame Gameover ZeuS Mahdi Metulji botnet NSA ANT catalog R2D2 (trojan) Shamoon Stars virus Stuxnet

v t e Malware topics
Infectious malware	Computer virus Comparison of computer viruses Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Trojan horse Rootkit Backdoor Zombie computer Man-in-the-middle Man-in-the-browser Man-in-the-mobile Clickjacking
Malware for profit	Privacy-invasive software Adware Spyware Botnet Keystroke logging Form grabbing Web threats Fraudulent dialer Malbot Scareware Rogue security software Ransomware
By operating system	Linux malware Palm OS viruses Mobile malware Macro virus Macintosh (old) viruses Mac OS X malware iOS malware Android malware
Protection	Anti-keylogger Antivirus software Browser security Internet security Mobile security Network security Defensive computing Firewall Intrusion detection system Data loss prevention software
Countermeasures	Computer and network surveillance Operation: Bot Roast Honeypot Anti-Spyware Coalition

Flame (malware)

Contents

History

Operation

Deployment

Origin

See also

Notes

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools