Meet "Flame", The Massive Spy Malware Infiltrating Iranian Computers

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010.

Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement.

“The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”

Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.

The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers.

It even contains some code that is written in the LUA programming language — an uncommon choice for malware.

Kaspersky Lab is calling it “one of the most complex threats ever discovered.”

“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.

Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies.

“It’s a very big chunk of code. Because of that, it’s quite interesting that it stayed undetected for at least two years,” Gostev said. He noted that there are clues that the malware may actually date back to as early as 2007, around the same time-period when Stuxnet and DuQu are believed to have been created.

Gostev says that because of its size and complexity, complete analysis of the code may take years.

“It took us half-a-year to analyze Stuxnet,” he said. “This is 20-times more complicated. It will take us 10 years to fully understand everything.”

Kaspersky discovered the malware about two weeks ago after the United Nations’ International Telecommunications Union asked the Lab to look into reports in April that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been hit with malware that was stealing and deleting information from the systems.

The malware was named alternatively in news articles as “Wiper” and “Viper,” a discrepancy that may be due to a translation mixup.

Kaspersky researchers searched through their reporting archive, which contains suspicious filenames sent automatically from customer machines so the names can be checked against whitelists of known malware, and found an MD5 hash and filename that appeared to have been deployed only on machines in Iran and other Middle East countries.

As the researchers dug further, they found other components infecting machines in the region, which they pieced together as parts of Flame.

Kaspersky, however, is currently treating Flame as if it is not connected to Viper, and believes it is a separate infection entirely. The researchers dubbed the toolkit “Flame” after the name of a module inside it.

Read more here

Investigation Into Cyberattacks is of Global concern

UK authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world.

On Tuesday, the Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) said it had identified a master command-and-control server used to coordinate the denial-of-service attacks, which took down major U.S. and South Korean government Web sites.

Command and Control
A command-and-control server is used to distribute instructions to zombie PCs, which form a botnet that can be used to bombard Web sites with traffic, rendering the sites useless. The server was on an IP (Internet Protocol) address used by Global Digital Broadcast, an IP TV technology company based in Brighton, England, according to Bkis.

BKIS Gain Control
That master server distributed instructions to eight other command-and-control servers used in the attacks. Bkis, which managed to gain control of two of the eight servers, said that 166,908 hacked computers in 74 countries were used in the attacks and were programmed to seek out and download new instructions every three minutes, from designated random sites.

Master Server in Miami
But the master server isn't in the U.K.; it's in Miami, according to Tim Wray, one of the owners of Digital Global Broadcast, who spoke to IDG News Service on Tuesday evening, London time.
The server belongs to Digital Latin America (DLA), which is one of Digital Global Broadcast's partners. DLA encodes Latin American programming for distribution over IP TV-compatible devices, such as set-top boxes.

VPN Distribution
New programs are taken from satellite and encoded into the proper format, then sent over VPN (Virtual Private Network) to the U.K., where Digital Global Broadcast distributes the content, Wray said. The VPN connection made it appear the master server belonged to Digital Global Broadcast when it actually is in DLA's Miami data center.

Engineers from Digital Global Broadcast quickly discounted that the attacks originated with the North Korean government, which South Korean authorities have suggested may be responsible.

Digital Global Broadcast
Digital Global Broadcast was notified of a problem by its hosting provider, C4L, Wray said. His company has also been contacted by the U.K.'s Serious Organised Crime Agency (SOCA). A SOCA official said she could not confirm or deny an investigation.

Amaya Ariztoy, general counsel for DLA, said the company examined the server in question today and found "viruses" on it. "We are conducting an investigation internally," Ariztoy said.

Forensic Analysis
Investigators will need to seize that master server for forensic analysis. It's often a race against the hackers, since if the server is still under their control, critical data could be erased that would help an investigation.

"It's a tedious process and you want to do it as quickly as possible," said Jose Nazario, manager of security research for Arbor Networks.

Data Log Files
Data such as log files, audit trails and uploaded files will be sought by investigators, Nazario said. "The holy grail you are looking for are pieces of forensics that reveal where the attacker connected from and when," he said.

MyDoom modified
To conduct the attacks, the hackers modified a relatively old piece of malware called MyDoom, which first appeared in January 2004. MyDoom has e-mail worm characteristics and can also download other malware to a PC and be programmed to conduct denial-of-service attacks against Web sites.

Variant analysis
Analysis of the MyDoom variant used in the attacks isn't that impressive. "I still think the code is pretty sloppy, which I hope means they [the hackers] leave a good evidence trail," Nazario said.

It could also be that the perpetrator is either very confident that they will not be found, is trying to hide in the pseudo amateur world of the cyber geeks and vandals. Someone who is not concerned or is immune from discovery and persecution.

A virtual self destructive personality that is implementing, what they believe to be a damaging but non fatal 'suicide' mission, allegedly.

China increases cyber attack on Netherlands

There has been substantial increase in cyber-attacks on .NL sites across Netherlands and Europe since the arrival of the Dalai Llama and NL's support for his issues.

Many national institutions across Netherlands are reporting an increase of government backed hacking attempts, Denial-of-Service attacks (DOS) and the intrusion of malicious Malware on their NL sites. This is meant to cause the maximum disruption of services and to damage the commerce and reputation of corporate and governmental institutions.

The overt political atmosphere and diplomatic relationship between China and the Netherlands has suffered rapid deterioration over the last few weeks, culminating in the expansion of covert maneuvers designed to undermine the Netherlands IT, Telecoms and Financial infrastructure.

The advice coming out of all sectors is to increase protection measures on .NL public domains, block enquiries by country, make sure your anti-virus and malware software is up to date. If you don't have anti-virus or malware protection, then now is the time to source some.

Remember to be very selective with your anti-virus and malware software providers. Many of the 'free' or 'shareware' applications are emerging as very good and smart but, you may also be signing up to a 'grey' provider, who are just as likely to infect your site as they are to protect it.

The internet and its use as a global vehicle for freedom of speech and an outlet for discourse, is being attacked by those forces that would stifle open-ness, truth and the civil rights of it's people. They cannot be allowed to expand their tyranny into this realm. Civil liberties are in peril!

The high price of that freedom, has always been and will always be, eternal vigilance. Build those Firewalls high! The enemy is at the Gates!

ATMs and Cash machines hacked

"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."

What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street.

The software is the latest move in a security arms race after banks and consumers got wise to the fitting of fake fascias onto ATMs. These fascias have been criminals' main way of using ATMs to get the details they need to clone cards. They contain a camera to spy on PINs being entered on the keypad, and a card reader to skim data from the card's magnetic stripe. It's big business: across Europe, losses due to such fraud grew by 11 per cent to €484 million in 2008, according to the European ATM Security Team (EAST), funded by the European Union and based in Edinburgh, UK (see graph).

Banks responded by investing in anti-skimming technology - which can detect a fake fascia overlay and disable the ATM. So crooks are developing new tricks, which are being uncovered by Henwood and his colleagues at SpiderLabs, a computer forensics research centre in London.