Flame
Flame , [ ] také známý jako Flamer , sKyWIper , [ b ] a Skywiper , [ 2 ] je modulární počítač malwareobjevil v roce 2012 [ 3 ] [ 4 ] , který útočí počítačů se systémem na Microsoft Windows operační systém. [5 ] Program je se používá pro cílené počítačové špionáže v středovýchodních zemích. [ 1 ] [ 5 ] [ 6 ]
Jeho objev byl oznámen dne 28. května 2012 o Maher centrum íránského národního Emergency Response Team Computer (CERT), [ 5 ] Kaspersky Lab [ 6 ] a CrySyS Lab na budapešťské univerzitě technologie a ekonomiky . [ 1 ] poslední z nich uvedla, ve své zprávě, že "je jistě nejdokonalejší malware jsme se setkali během naší praxe, pravděpodobně, je to nejkomplexnější malware někdy našel." [ 1 ]
Flame může šířit do jiných systémů přes lokální síť (LAN) nebo přes USB . To může nahrávat audio,screenshoty , činnost klávesnice a provoz v síti . [ 6 ] Program také zaznamenává Skype konverzace a může se infikovaných počítačů do Bluetooth majáků, které se snaží stáhnout kontaktní informace z okolních zařízení Bluetooth. [ 7 ] Tyto údaje, společně s lokálně uložených dokumentů, je poslán na jednom z několika velení a řízení serverů, které jsou roztroušeny po celém světě. Program pak čeká na další instrukce z těchto serverů. [ 6 ]
Podle odhadů Kaspersky 05. 2012, Flame zpočátku infikován přibližně 1000 strojů, [ 7 ] s oběťmi, včetně nevládních organizací, vzdělávacích institucí a soukromých osob. [ 6 ] V té době 65% infekcí se stalo v Íránu, Izrael, Súdán , Sýrie, Libanon, Saúdská Arábie a Egypt, [ 3 ] [ 6 ] s "obrovskou většinou cílů" v Íránu. [ 8 ] Flame byla také hlášena v Evropě a Severní Americe. [ 9 ] Flame podporuje "zabít "Příkaz, který stírá veškeré stopy malware z počítače. Počáteční infekce Flame přestal provozovat po jeho veřejném působení, a "kill" Příkaz byl odeslán. [ 10 ]
Flame byl identifikován května 2012 o Maher centrum íránské národní CERT, Kaspersky Lab a CrySyS Lab (Laboratoř kryptografii a bezpečnostní systém) na budapešťské univerzitě technologie a ekonomiky, kdy byla společnost Kaspersky Lab požádal OSN Unie telekomunikační International , aby prošetřila zprávy viru ovlivňující íránské ministerstvo ropného průmyslu počítačů. [ 7 ] Jak Kaspersky Lab šetření, které objevil MD5 hash a název souboru, který se objevil pouze na přání zákazníka strojů z Middle východní národy. Po zjištění více kusů, výzkumníci daboval programu "plamen" po názvu jednoho z jeho modulů. [ 7 ]
Podle Kaspersky, Flame byl provoz v přírodě, protože přinejmenším únoru 2010. [ 6 ] CrySyS Lab uvádí, že název souboru hlavní složky byl pozorován již v prosinci 2007. [ 1 ] Nicméně, mohl by být vytvoření datum nebude stanoveny přímo, neboť tvorba termíny pro malware je modulů falešně nastaveny na data již v roce 1994. [ 7 ]
Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.[11] At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator.[12]However, Kaspersky Lab believes that Flame may be "a separate infection entirely" from the Wiper malware.[7] Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.[7]
On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to "select organizations" for several weeks.[7] After Flame's exposure in news media, Symantec reported on 8 June that some Flame command and control (C&C) computers had sent a "suicide" command to infected PCs to remove all traces of Flame.[10]
According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines,[7] with victims including governmental organizations, educational institutions and private individuals.[6] At that time the countries most affected were Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.[3][6]
| Name | Description |
|---|---|
Flame | Modules that perform attack functions |
Boost | Information gathering modules |
Flask | A type of attack module |
Jimmy | A type of attack module |
Munch | Installation and propagation modules |
Snack | Local propagation modules |
Spotter | Scanning modules |
Transport | Replication modules |
Euphoria | File leaking modules |
Headache | Attack parameters or properties |
Flame is an uncharacteristically large programfor malware at 20 megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.[6][13] The malware uses five different encryption methods and an SQLite database to store structured information.[1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.[1] The internal code has few similarities with other malware, but exploits two of the same security vulnerabilties used previously by Stuxnet to infect systems.[c][1] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software.[1] Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.[13]
Flame is not designed to deactivate automatically, but supports a "kill" function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers.[7]
Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.[14] The malware authors identified a Microsoft Terminal ServerLicensing Service certificate that inadvertently was enabled for code signing and that still used the weakMD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft.[14] A successfulcollision attack against a certificate was previously demonstrated in 2008,[15] but Flame implemented a new variation of the chosen-prefix collision attack.[16]
| Property | Value |
|---|---|
Version | V3 |
Serial number | 3a ab 11 de e5 2f 1b 19 d0 56 |
Signature algorithm | md5RSA |
Signature hash algorithm | md5 |
CN = Microsoft Root Authority,OU = Microsoft Corporation,OU = Copyright (c) 1997 Microsoft Corp. | |
Valid from | Thursday,10 December 2009 11:55:35 AM |
Valid to | Sunday,23 October 2016 6:00:00 PM |
Subject | CN = Microsoft Enforced Licensing Intermediate PCA,OU = Copyright (c) 1999 Microsoft Corp.,O = Microsoft Corporation,L = Redmond,S = Washington,C = US |
30 82 01 0a 02 82 01 01 00 fa c9 3f 35 cb b4 42 4c 19 a8 98 e2 f4 e6 ca c5 b2 ff e9 29 25 63 9a b7 eb b9 28 2b a7 58 1f 05 df d8 f8 cf 4a f1 92 47 15 c0 b5 e0 42 32 37 82 99 d6 4b 3a 5a d6 7a 25 2a 9b 13 8f 75 75 cb 9e 52 c6 65 ab 6a 0a b5 7f 7f 20 69 a4 59 04 2c b7 b5 eb 7f 2c 0d 82 a8 3b 10 d1 7f a3 4e 39 e0 28 2c 39 f3 78 d4 84 77 36 ba 68 0f e8 5d e5 52 e1 6c e2 78 d6 d7 c6 b9 dc 7b 08 44 ad 7d 72 ee 4a f4 d6 5a a8 59 63 f4 a0 ee f3 28 55 7d 2b 78 68 2e 79 b6 1d e6 af 69 8a 09 ba 39 88 b4 92 65 0d 12 17 09 ea 2a a4 b8 4a 8e 40 f3 74 de a4 74 e5 08 5a 25 cc 80 7a 76 2e ee ff 21 4e b0 65 6c 64 50 5c ad 8f c6 59 9b 07 3e 05 f8 e5 92 cb d9 56 1d 30 0f 72 f0 ac a8 5d 43 41 ff c9 fd 5e fa 81 cc 3b dc f0 fd 56 4c 21 7c 7f 5e ed 73 30 3a 3f f2 e8 93 8b d5 f3 cd 0e 27 14 49 67 94 ce b9 25 02 03 01 00 01 | |
Enhance key usage | Code Signing (1.3.6.1.5.5.7.3.3) |
Authority identifier | Certificate Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.| Certificate SerialNumber=00 c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40 |
Subject key identifier | 6a 97 e0 c8 9f f4 49 b4 89 24 b3 e3 d1 a8 22 86 aa d4 94 43 |
Key usage | Digital Signature |
Basic constraints | Subject Type=CA |
Thumbprint algorithm | sha1 |
Thumbprint | 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70 |
Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices.[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[6]
Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage.[17] It does not appear to target a particular industry, but rather is "a complete attack toolkit designed for general cyber-espionage purposes".[18]
Using a technique known as sinkholing, Kaspersky demonstrated that "a huge majority of targets" were within Iran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files.[8]Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes.[8]
A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely.[19]
On June 19, 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel’s military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.[20]
According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it."[3]Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers.[21] After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.[22]
Iran's CERT described the malware's encryption as having "a special pattern which you only see coming from Israel".[23] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the West Bank—Israel became "many commentators' prime suspect". Other commentators named China and the U.S. as possible perpetrators.[21] Richard Silverstein, a commentator critical of Israeli policies, stated that he had confirmed with a "senior Israeli source" that the malware was created by Israeli computer experts.[21][24] The Jerusalem Post wrote that Israel's Vice Prime MinisterMoshe Ya'alon appeared to have hinted that his government was responsible,[21] but an Israeli spokesperson later denied that this had been implied.[25] Unnamed Israeli security officials suggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other Western nations.[26] The U.S. has officially denied responsibility.[27]