Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. At the same time we published our FAQ, CrySyS Lab posted their thorough analysis of sKyWIper. A few days earlier, Maher CERT published IOCs for Flamer. In short, Flame, sKyWIper and Flamer are different names for the same threat, which took the world by surprise as the first major discovery after Stuxnet and Duqu.
Since the discovery of Flame, we reported on many other advanced malware platforms, including Regin and Equation, yet Flame remains special in terms of being one of the most complex, surprising and innovative malware campaigns we have ever seen.
Looking back at the discovery of Flame, here are some lessons we learned.
- High-end, government-grade malware can be big. A fully deployed set of Flame modules took about 20 megabytes, which was a lot. Previously, sophisticated malware would range in the order of kilobytes or hundred of kilobytes; most people would discard a 6MB executable file as “uninteresting”. Not anymore.
- Jumping airgaps. Flame was one of the first malware to implement a mechanism to bypass airgaps through the use of USB sticks. When a USB stick was plugged into a Flame infected computer without connection to the Internet, the malware saved stolen information into a hidden file on the stick. This file was invisible to most file explorers and contained up to 16MB of stolen documents and other information from the victim’s machine. When such a stick was connected to a machine infected by Flame connected to the Internet, the hidden information was taken off the stick and sent to its C&Cs.
- Dozens of C&Cs. With Flame, we ended up counting almost 100 different command and control servers. For a targeted malware, this is both unusual and a very large number. The authors of Flame created different versions of the malware connecting to many C&Cs in order to limit the impact of a takedown.
- Capturing Bluetooth audio. One of the Flame modules attempted to identify Bluetooth devices in the vicinity of the compromised machine and use them to record audio from the room. This is a rare type of attack pioneered by Flame.
- The age of mass surveillance. We believe the main purpose of Flame was to facilitate mass surveillance. The malware was designed to automatically collect everything from infected machines, ranging from documents to screenshots, keystrokes and audio. The C&C servers of Flame did not include a provision for a manual operation of the malware; everything happened automatically.
- MD5 is dead. One of the most interesting features of Flame was the way it infected other computers in the local network. The attack involved the almost magical re-engineering of a certificate that could be used to sign Windows updates. The certificate relied on an MD5 signature, which the attackers managed to fake, indicating they had the ability to break arbitrary MD5 hashes.
- Subversion of trust in Windows updates. One of the most interesting modules in Flame performed what eventually described as a “God mode” exploit – subversion of Windows updates by hijacking Windows update requests. For years, we told people to update Windows, as well as any other third party, as often as possible. Flame took advantage of the trust people have put into updates, effectively subverting it.
- The tip of the iceberg. After we discovered Flame, our generic detection started to trigger on other samples as well. By code similarity, we found two other malicious programs from the same group: Gauss and MiniFlame. This made us realize that there are many other undiscovered malware and it will probably take years to find them all.
- Everything’s connected. When we discovered Flame, most people asked – “is it related to Stuxnet?”. We’ve said, “no, there are no signs”. We were wrong. Weeks later, we found a Flame module that was also used by the 2009 version of Stuxnet for replication. Essentially, the 2009 Stuxnet was built to replicate using an exploit from Flame. This indicates the two were indeed connected. At the same time, Stuxnet was connected to Duqu and, as we found more recently, the Equation group, through their exploits originally used by the Fanny worm. Sometimes it takes longer to see all the connections, even if they are not obvious in the beginning.
- “Flame is lame”. When Kaspersky and CrySyS Lab published our analyses of Flame, some people discarded it as uninteresting. “A 20 megabytes malware can be l33t? Impossible!”. (The complaints died when the Microsoft Windows Updates attack and MD5 collision was found and patched). Mikko Hypponen from F-Secure has a wonderful blog on this topic: https://www.f-secure.com/weblog/archives/00002383.html
Finally, we’d like to end with a recording of a fantastic speech by privacy rights activist Chris Soghoian, titled “Lessons from the Bin Laden Raid and Cyberwar: Immunizations and Security Updates”.
https://archive.org/details/ChrisSoghoian-LessonsFromTheBinLadenRaidAndCyberwarImmunizations
His take on Flame begins at 5:00, however, we recommend you watch the entire clip. As Chris puts it in the clip: “no matter the short term intelligence advantage to hacking software updates, it isn’t worth it”. We concur and add, subverting security will always backfire.
Lessons learned from Flame, three years later