Kaspersky Lab's recent investigations have uncovered three new Flame-related malicious programs, at least one of which is still in the wild.
Flame is a sophisticated attack toolkit. It is a backdoor, a Trojan that has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded to do so by its master.
The initial point of entry of Flame remains unknown; it is suspected that it is deployed through targeted attacks; however, Kaspersky has not seen the original vector of how it spreads.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control (C&C) servers.
Later, the operators can choose to upload further modules, which expand Flame's functionality. There are about 20 modules in total; the purpose of most of them is still being investigated.
The main findings of the research also included the fact that the development of Flame's C&C platform started as early as December 2006, and was still being developed.
According to Kaspersky, the C&C servers were disguised to look like a common content management system to hide the real nature of the project from hosting providers or random investigations.
In addition, the servers were able to receive data from infected machines using four different protocols, only one of them servicing computers attacked with Flame.
“The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown,” says the security giant. “One of these Flame-related unknown malicious objects is currently operating in the wild.”
The company adds that there were signs that the C&C platform was still under development; one communication scheme, named 'Red Protocol', is mentioned but not yet implemented. “However, there is no sign that Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.”
Aleks Gostev, chief security expert at Kaspersky Lab, says the findings in this particular investigation are based on the analysis of the content retrieved from several C&C servers used by Flame. “This information was recovered despite the fact that Flame's control infrastructure went offline immediately after Kaspersky Lab disclosed the existence of malware.”
He says sophisticated encryption methods were utilised to ensure that only the attackers could obtain the data uploaded from infected machines. The analysis of the scripts used to handle data transmissions to the victims unveiled four communication protocols, only one of which was compatible with Flame. It means that at least three other types of malware used these C&C servers.
“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its C&C servers. Flame's creators are good at covering their tracks. However, one mistake of the attackers helped us to discover more data than one server was intended to keep. Based on this, we can see that more than 5GB of data was uploaded to this particular server a week, from more than 5 000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale,” Gostev concluded.
Share
