Flame

Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We’ll know more in the coming days and weeks as different groups start analyzing it and publishing their results.

EDITED TO ADD (6/11): Flame’s use of spoofed Microsoft security certificates. Flame’s use of a yet unknown MD5 chosen-prefix collision attack.

Microsoft has a detailed blog post on the attack. The attackers managed to to get a valid codesigning certificate using a signer which only accepts restricted client certificates.

EDITED TO ADD (6/12): MITM attack in the worm. There’s a connection to Stuxnet. A self-destruct command was apparently sent.

Tags: , , , , ,

Posted on June 4, 2012 at 6:21 AM32 Comments

Comments

M.V. June 4, 2012 6:37 AM

I have just read this:

http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

It seems thet Flame is signed with Microsoft issued Certificates.

Also according tp F-Secure Flame (and Stuxnet) fell through their nets because it didn’t try to hide. So it just looked like a regular businisses.

http://arstechnica.com/security/2012/06/why-antivirus-companies-like-mine-failed-to-catch-flame-and-stuxnet/

jacob June 4, 2012 9:00 AM

@bruce. Do you think this is a similiar breakout to what happened to cryptography?

I am beginning to think it is. Nation states, criminals, businesses, etc. are going to have to look at espionage and sabotage differently. Amazing that things have gone from throwing wooden shoes into the works to cyberware. But the principles are the same.

AJ June 4, 2012 9:40 AM

In the most recent admission that stuxnet was developed by the US it was mentioned that the first task they had to undertake was to survey the network layout of the Natanz site, but nothing more was said about how that task was undertaken. I’m wondering whether Flame was the tool developed for that purpose? The descriptions seem to match fairly well, can anyone with more knowledge confirm this idea?

CaptainObvious June 4, 2012 9:43 AM

@BF Skinner

The US has already made everyone aware that cyber attacks against us can be responded to with conventional weapons, so we attack you, that’s okay. You attack us, we glass you.

The only difficult part is identifying who to glass, but we can just invade everyone while we figure that little detail out.

NobodySpecial June 4, 2012 10:22 AM

@CaptainObvious – we’re under attack by a computer virus we must retaliate.

Where do computers come from?

China General.

Mmmm, a bit big – anywhere else?

Taiwan or Korea General.

Ok so we attack korea.

Yes, General, remember what we explained last week? N Korea = Naughty Korea. S. Korea = Safe Korea.

wiredog June 4, 2012 10:48 AM

The US has been using various cyber warfare attacks since the 1980’s, some of which had results that were detectable from orbit.

BF Skinner June 4, 2012 1:11 PM

“You attack us, we glass you”

Reminds me of the DoD’s nuclear strategy in the 70s. ‘Mr Bear. We will attack you in the Warsaw pact. you may nuke Europe. That’s okay. Launch on us and we’ll play global thermonuclear war.’

Soviet response was to target every major US population center. “Launch a first strike on us in europe and learn to exist with bearskins and stone knives.”

I would have hoped we were past that.

Brandioch Conner June 4, 2012 1:50 PM

So the “enemy” IT managers believe that 3rd party “anti-virus” companies will actually work to protect them from threats such as this?

Seems to me that we’ve already won this “war”.

Adam C. June 4, 2012 3:42 PM

Interesting developments!

It’s well-worth noting the role Microsoft has played in playing here – assisting with delivery of malicious payload in order to aid in the compromise of target systems. This seems to be breaking breaking new ground! No longer is War the sole domain of the likes of General Dynamic, Raytheon, GE, Halliburton, and the Boeing Company. Now the unstable folks in Redmond seem to be in on saving the Western World.

While it’s good to hear MSFT, “immediately began investigating Microsoft’s signing infrastructure to understand how this might be possible.” I am happy to hear they are arresting Flame’s forward momentum by adding to Untrusted Certificate Store.

The arrogant ones have always been comfortable with delivery of products with known vulnerabilities and have effectively escaped Product Liability litigation for providing known defective products.

Placing the apparent assistance in Cyber-War into context.

2003) Threat of Product Liability effectively managed.

2004) – MSFT an identified party National Criminal Intelligence Sharing Plan FBI Fusion Centers.

2009) MSFT created their own Microsoft Active Response for Security MARS. In their own words this is a fusion of ‘Microsoft Digital Crimes Unit, the Microsoft Malware Protection Center (MMPC), Microsoft Support, and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone. Microsoft believes the Waledac takedown will be the first of many successful endeavors for Project MARS and is already working to apply the lessons learned from this operation to future initiatives.’

2010) MSFT Worldwide Public Safety Symposium.

2011) MSFT Microsoft Cybercrime where THEY coordiante FBI / DOJ / Interpol – providing the role of Fusion Center for law-enforcement; AV suppliers; Internet Svc. Providers – while admitedly working outside formal legal frameworks. *

2012) MSFT ZEUS Takedown wherein “Microsoft’s unprecedented aggressive legal strategy in botnet takedowns came under fire from researchers in the Netherlands, charging that the software giant’s most recent botnet dismantlement operation has ultimately damaged international law enforcement and private research investigations.”

…[MSFT caused] “collateral damage” can affect more than the suspension of legit domains, for example, but also other investigations into a botnet. “Absent sufficient information sharing, cooperation, coordination and trust among investigating parties, there is too much room for error or interference, and one party’s success can hamper the erstwhile and equally important efforts of others,” Piscitello wrote today in a blog post.

… the way Microsoft set up its servers allows it to process packet data and gather HTTP requests with full headers and “actually also POST data which will contain sensitive information about the victims, including usernames, email addresses , passwords and personally identifiable information,” he said.

Fox-IT also contends that the affidavit contains some of the nicknames, email addresses, and instant messaging handles about the John Does allegedly involved in this cybercrime group that is identical to information it had provided under nondisclosure to a specific mailing list.

“The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data.

…. and so on.

E Fraker June 4, 2012 4:23 PM

@Adam C. – can you explain the significance of your last two paragraphs? I think it went over my head… especially the bold part.

Adam C. June 4, 2012 4:49 PM

I posted before I was done editing down the citation so it’s a little more disjointed than I’d like….

The past paragraphs are quotes from the preceding URL Controversy Erupts Over Microsoft’s Recent Takedown Of A Zeus Botnet (pg. 2 of 2). The idea I’d like to see explored is how software may be mirroring traditional military suppliers. Where private/public partnerships are formed to develop offensive capabilities.

This article provided a couple examples of collateral damage resulting from Microsoft’s action and co-opting data against the intended use reinforces the impression that MSFT makes up rules as they go – working with the appropriate TLA for cover. To the detriment of those cited.

Not trying to get too deep in the weeds, but MSFT as an active participant in State_on_State cyberwarfare is intriguing.

Doug Coulter June 4, 2012 6:22 PM

What do you want to bet their “update” just installed a different back door for whoever wrote Flame to use on the next go? /tinfoil hat

war machine June 4, 2012 9:21 PM

your comment blocking function is making it increasingly difficult to post legit posts with one or more urls.

what is the secret to not hitting the comment blocked page like a brick wall over and over?

Double Down June 4, 2012 9:32 PM

@ Adam C.

Nothing new there. MS has been in bed with the TLA’s for a long time now. Remember _NSA_KEY? Or how about the utterly flawed random number generator in Windows 2000? The academics who reverse engineered it came to the conclusion that MS either had some horrible cryptographers *or* they intentionally weakened it (they actually said this in their paper). Some of the mistakes were so horrendous that first year CS students could come up with a better design just by reading Wikipedia. And this wasn’t just a theoretical weakness, but it allowed the researchers to recover any key created with the RNG (both past and future keys). It was just as bad, if not worse, than the Debian SSL bug (which was introduced when some code maintainer “cleaned up” code he knew nothing about. That was a mistake after the fact. In MS’s case, it was just bad design from the get-go.)

And then you have Dual_EC_DRBG which most likely has “up my sleeve numbers” that allow NSA to recover any key created with it. While not a MS creation, it is included in Windows as an option.

So, the bottom line is do not trust MS if you are an “enemy” to the USA. I am surprised at just how many enemy nation-states still rely so heavily on Windows. In fact, anyone (anywhere) who uses Windows for any security critical application is an idiot.

This is not to say Linux or BSD would be immune from compromise, but at least one could audit the code without having to decompile or disassemble it. I also admit that there probably are many sneaky ways a well-funded TLA could sabotage the open-source development process, but any intentionally introduced vulnerability would eventually be discovered (sooner or later). With MS, you would have to wait on someone to reverse engineer it (which means likely never).

Clive Robinson June 5, 2012 7:02 AM

@ Double Down,

Opps sorry some Smart Mobile devices don’t like to be both “smart” and “mobile”…

Just to finish,

So where does the NSA, GCHQ, et al go next to ensure that they continue to read the communications of “others” whilst protecting their “own”?

Well crypto algorithms come and go, lets be honest DES has been outlived by the DOD IP and later protocols. Who remembers FEAL for anything other than the fact it’s weaknesses gave rise to the cryptoanalytic techniques that put the final nails in DES.

The future is in making new protocols and standards with weaknesses in, whilst also encoraging all current systems to be compatible with old broken systems as transparently as possible.

For instance “auto-fallback” many secure applications have to “interwork” with many other applications some of them old some of them new and thus many different algorithms are available. To get them to work they “auto-negotiate” untill they find a common algorithm and mode.

Now it surprisess some people that some early Secure terminal access applications that use SSH had at the bottom of their list “tty” or “telnet” or “ascii” all of which are “plain text”… Thus if you got between the opening request and the far end reply you could cause an Auto-negotiation to plaintext, and the way most applications are designed the user won’t be explicitly told (there might be a “tty” etc appearing in a small toolbar somewhere but no big flashing signs).

So as we know the NSA is turning into the “face-hugger” “Vampire Squid” of the US Internet backbone, it would be fairly safe (technicaly) to assume it would be relativly trivial for them to “get in the middle” when ever they wished and “auto-fallback” the comms to a weak algorithm or mode to aid evesdropping.

But unless they get into standards to weaken them then the “auto fallback-MiTM” will only be good for a few years. The secret is to pick on standards that are going to be used in “embeded systems” with a very long service life.

We know that Signaling System Seven (SS7) used to set up and tear down calls on the Integrated Switched Digital Network (ISDN) used by most phone systems internationaly thanks to the ITC, was based on the UK “System X” which had a few nasties in it that alowed remote evesdropping for “test and emergancy situations” and are thus still there (yes your GSM mobile phone is supposed to support those features to meet the standard…).

Now what long lived standards are due to appear due to political and other imperatives in the near future?

Smart meters and “smart Implants, these will be expected to have minimum service lives of between 30-50years, so the auto-negotiation “auto-fallback” issue could be good for two to three times that so over a hundred years…

The thing is that application marketers want to appeal to as many customers as possible so will bolt in any and all standards for product placment/specmanship, so will include it by default and thus make it available. Thus it will be another “Human Nature” attack (if you can call marketing people human 😉

jacob June 5, 2012 7:36 AM

I think all the comments answered my question. FLAME is similiar to the “breakout” of crypto into the open. Pun intended. Who can you trust? Answer from Reagan. trust but verify. Pretty hard to do in modern age…Back in the day all you had to worry about was the villiage gossip..Nowadays, everybody wants to know your business usually FOR business. Drones, Facebook, Google, etc. (frown)

Nick P June 5, 2012 8:17 PM

Update on Flame

It intercepts Windows update via NetBIOS-related MITM attack. It then feeds the target machine a malicious package signed by a geniune-looking Microsoft certificate. Looks like Microsoft didn’t do their PKI right.

hello June 7, 2012 6:34 AM

related links –

http://stratsec.blogspot.com/
http://blog.cuckoobox.org/
http://www.net-security.org/malware_news.php?id=2138
http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx
http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-used-to-sign-flame-malware
http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism
http://it.slashdot.org/story/12/06/05/1638228/flame-malware-hijacks-windows-update

Wilson June 7, 2012 11:38 AM

@AJ

I think the intelligence about Natanz was acquired in more conventional ways. The US had access to many of the parts used in the reactor design so they were able to replicate it for experimentation. They also probably had at least one person on the inside (who left the infected USB key in the first place?). One analysis of Stuxnet has shown how photographs of the Natanz interior released by the Iranian government actually aided the virus authors in understanding aspects of the control system: http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/

Clive Robinson June 8, 2012 2:30 AM

@ Martin,

Well this is very interesting

If the ARS article is correct, and it is a new mathmatical attack on hash algorithms or even just MD5 like constructs, then that probably rates as the understatment of the year…

I wonder just how interested the NIST hash contest entrees are going to be on this…

I suspect that it has just made their lives more difficult (with the journo’s at least) and they will feel as though they are “living throgh interesting times”…

Clive Robinson June 8, 2012 3:51 PM

@ Jacob,

This is not a technical article but could lead to some interesting discussions…

It could and I’ll give you one thought immediatly, which is sufficiently InfoSec related for this blog,

The argument presented in the article is logicaly flawed due to a basic but incorrect proposition, that what is in fact a crime is an act of war.

I’ll come about this the long way as it makes more sense to do so,

First off is the thorny question of “weapons” and their use. Weapons are plain and simple a “tool” the use of which does not imply any “societal state” such as peace, civil war or war.

As an example take a personal use gun (hand gun, rifle, shotgun), it can be used for, vermin control, game control, hunting for food, hunting for sport, target/clay shooting, defence against crime, crime and warfare.

That is only one of it’s potential uses is in prosecuting an existing war.

Even non personal use weapons such as cannon and mortars do have non war uses (emergancy rescue at sea etc to get rescue lines to people, clearing snow build up to prevent avalanche, and I’m told similar issues in limited geological and engineering activities and more interestingly experimental reasearch on getting objects into space).

So many weapons are tools and as such are agnostic to the societal state. Thus the use of a weapon does not mean your state is “at war” any more than throwing a hammer does. Therefor it’s actual use therefor must have some other legal recognition to be an “act of war”.

Further “cyber-weapons” are compleatly unlike most conventional weapons that people understand. That is they are not “directed energy” weapons, which is a very important difference.

Why is the difference important? because you need to consider how you defend against the use of a weapon.

Conventional weapons require the defender to take some positive action as a defence, cyber-weapons however can easily be defended against by the negative action of not having any computers, or not allowing them to be used in a way that might cause the defender harm (thus the “blue screen of Death” in MS Office is not an act of war no matter how you might feel 😉

So the notion of “cyber-weapon” is itself called into question, infact a little further reasoning shows that what we should actually be talking about is “Sabotage” (derived from the French word for a wooden shoe or clog the sabot,) it litteraly means “to put the boot in”…

That is without a machine to “put the boot in” to, no harm could be caused (outside of a “Bl**dy good kicking”) by a person wielding their clogs.

Thus “sabotage” is normaly considered an action against another persons property which needs a further requirment to become a “criminal act” and there are perfectly good laws to deal with crime in most countries (using them against international crime however is an issue for another conversation).

Now as I’ve indicated what they are calling “cyber-weapons” are actually “tools” for cyber-crime and it’s more restricted areas cyber-sabotage and cyber-espionage. Thus the use of the word “weapon” induces an emotional response that “tool” does not and this sets up a whole faux reasoning.

Importantly neither sabotage or espionage in the societal state of “peace” can be construed as “acts of war” they can only become that after the societal state has changed to “war” and the act or intent can be shown to be more than acts of civil unrest.

However and it is very important to remember this, once the social state has legaly changed from peace to war crimes such as sabotage and espionage change their state under what the article titles “Treacherous Deceit” (ie aiding and abeting the enemy).

Thus the use of terms like “weapon” not “tool” or “crime” falsely colour peoples reasoning to assume “in war” not “at peace” as the initial state of the use of such “tools” for the crimes of sabotage and espionage, and thus argue incorrectly that they are defacto “acts of war” which they are not.

[I could but won’t go on to argue that as the “cyber-world” is not a legal entity such as a “State”, and has no teritory or clear jurisdictional or geographical boundries a “war” cannot by definition be fought there so you can not have “cyber-war” thus “cyber-warfare”.]

As a closing point when a state of war exists those commiting sabotage or espionage are commiting “Treacherous Deceit” and are as such irespective of nationality “enemy agents” for which the lawful punishment of execution (by the “humane acts” of “hanging” or “firing squad”) is allowed. The reason for the execution to be “humane” is to avoid it being used as a method of torture [5].

[1] – The reason Bush and Co had to call the criminal acts of 9/11 “war” [2][3], was to try and paint the US as being a defender (thus “just”) not an aggressor (thus “war criminal”).

[2] – Bush and Co were wrong because legaly 9/11 was not nor could not be considered “an act of war”.

[3] – War can not be legaly declared on non specific people, but only on “States” with military or other “state sponsored” forces [4] who are committing acts of aggression that are considered “acts of war” or of “endangering National Security”, 9/11 did not meet either criteria.

[4] – Whilst you might wish to describe an individual as an “enemy” there are certain formalities before they become either military or state sponsord forces. So there is no “enemy combatant” for good reason, they are civilians and are alowed to defend themselve, their homes, properties and possessions from invading forces who are commiting any act against civilians that are “war crimes”. Even those who come from other countries to help repel the “invaders” are unless sponsored by a state civilians.

[5] – Torture is technicaly a “war crime” irrespective of the social state of peace or war and is illegal providing one or both nations are signatories to various international treaties, hence the Bush and Co term “enhanced interrogation” and the need for “rendition”.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.