Flame, a type of computer malware attack realized in 2012, is a kind of data mining virus. It uses Microsoft Windows operating system, targeting the Middle East countries intended for cyber espionage.
This attack was uncovered on MAY 28, 2012 by MAHER Center of Iranian National Computer Emergency Response Team, Kasper-sky Lab and CRYSYS Lab of Budapest University of technology and Economics.
Flame can disseminate itself to other systems via a USB / Flash Drive. It is capable of recording audio streams, screen shots, Skype conversations, keyboard activities and even monitoring of networks. It can also mutate the infected computer system into a Blue tooth beacons that attempts to download contact information from neighboring Blue tooth-enabled devices.
A report of Kaspersky Estimates performed in May 2012, Flame malware infected approximately 1,000 machines. Where most of the victim machines belongs to government organizations, private and individual systems were also significantly infected at the same time.
Flame was perceived by Iranian computer experts. Major area of its infection was Israel, Iran, Sudan, Saudi Arabia and Egypt where in Iran was the focus of attack.
Structure of Flame:
Flame Program was written in Lua scripting language that is a compiled C++ code linked in exceptionally large program for malwares of 20 megabytes. It allows other attacking modules to load after initial action being performed. This malware uses five types of encryption methods and SQL Lite database to store structured information. It uses hidden method to inject code into various processes in such a way that attacking modules do not appears into processes loaded and malware memory pages, which are protected by READ,WRITE and EXECUTE permission that makes them inaccessible through user-mode applications. The malware collect details about which anti-virus software is installed so that it can customize its own behavior, that’s why it is not detected easily or by some mutex and registry activity, such as installation of a fake audio driver to be in persistence on the compromised system.
Flame enabled a “kill” function for eliminating all its traces of files and operation from a system whenever it receives receipt of a module from its controller.
Flame was signed with a fraudulent certificate purportedly by the Microsoft Enforced Licensing Intermediate PCA certificate authority. Malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing & still used the weak MD5 hashing algorithm & produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft.
Flame is only designed for espionage instead of targeting any particular industry. This malware uses a technique known as sink-holing. The report presented by Kaspersky reflected that huge majority of this attack targets Iran, where in most of the attackers were looking for PDFs, text files and AutoCAD Drawings. It is also mentioned by Computer experts that this malware is also seeking for technical secret diagrams for Intelligence purposes.
Flame has around 80 servers across Asia, Europe and North America which does provide access to the victim’s machines remotely.
Evidence about Flame Attacks:
Flame came into existence when Iran detected a spate of Cyber-attacks on its oil industry. The attacks credit has been supposed by Israel in unilateral operation that’s caught its American partners off guard, spoke by several American U.S. and western officials on the case of anonymity. They had found speculation which revealed that Washington was also involved in development of flame, but collaboration between U.S. and Israel in the development of flame has not been confirmed yet.
According to researchers “Flame” is designed to replicate across even highly secure networks and responds to eventually all the secret information and activity back to its creators. This malware is designed to do masquerading as a routine Microsoft software update, it is using a sophisticated program to crack an encryption algorithm in such a way that helps it to evade detection many a times.
“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for Fusion X, firm that specializes in simulating state- sponsored cyber-attacks. He said he does not know who was behind the virus.” You’d expect that only the most advanced crypto mathematicians, such as those working at NSA.
History of Flame:
Flame was developed about five years ago as a part of classified effort code named Olympic Games, according to officials familiar with U.S cyber –operations and experts who have scrutinize its code. The motive behind the collaboration of the U.S. – Israel was to break down the Iran’s nuclear program so that it could reduce pressure from military activity.
The best known cyber weapon attack on Iran was Stuxnet, which was discovered two years ago, infected a specific type of industrial based control at Iran’s Uranium- enrichment plant in Natanz which caused almost 1,000 centrifuges to spin out of control. Due to lack of knowledge and awareness Iranian officials thought it was result of incompetency.
The scale of espionage and sabotage effort” is directly proportion to problem being resolved,” said by Former intelligence official, referring to the Iranian nuclear program.
There were many key players who are accused of indirect involvement in developing these tools, including two of USAs elite spy agencies. First one is NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, and second one is CIA which lack’s the NSA’s sophistication in building malware but is deeply into cyber –campaign.