In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).
This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates to intercept Windows updates call. (Microsoft released more information here)
There are many more interesting aspects of this malware, such as its use of LUA programming language, looking like a state sponsored cyberweapon, etc, but I find the first 4 mentioned above the most interesting right now.
First, its aim appears to be stealing information. Data collected so far indicates that it did spread more in middle eastern countries and was acting as a sophisticated discovery tool. In fact, what I read made me think of certain discovery modules you can find in commercial Data Leakage Prevention software (DLP), where you want to discover certain type of information from a very high volume of data using keywords, patterns, formulas, etc… I wonder if the companies who are analysing this malware will look at how similar (or not!) the algorithms it uses are with those DLP solutions. Also, what I learnt from those discovery tools is that you get a lot of false positives and it requires a lot of man power and time to get through it before getting any value out of it.
I therefore suspect there is a team of “data analyst” also working along side whoever is coding, supporting, providing network expertise, etc.
This brings me to the second point of interest related to this malware, its longitivtiy. Especially how long it lived undetected. 5+ years is a vey long time for a piece of software that scans your computer and sends some data back “home”. With technology such as IDS, HIPS, and port scanners you should be able to detect it.
So, understanding why it was not detected sooner would be of great value to protect against future similar malware. My guess why it was not detected is because it was a targeted malware, mainly installing itself to some computers of interest (either location or maybe based on some other intelligence). If it tried to install itself on every computers on the planet it would have been detected much earlier. It also does not appear to try to install other common backdoors, which could have give the malware away when doing a standard vulnerability scan. There is still the question about the network traffic, I am amazed this was not spotted, but then again it may be tunnelling its network data as well as using some kind of threshold limiter to hide itself.
Another odd behaviour is the Delete or kill module, which appears to be removing every signs of of the malware presence apart from one file, ~DEB93D.tmp, why would it do that? why would a piece of malware who appears to be so sophisticated implements a delete function that leaves a file behind? making it easier to find out if a computer had been infected in the past. Could it be a bug? the result of some other complex deletion processes that require a file to be left at the end (I don’t know of any)… in any case, it looks to me as an odd type of signature worth investigating.
The final point of interest I mentioned was about a recently found new functionality in the malware modules. The fact it was able to leverage a man in the middle attack against windows update indicates it could have been used for more than just discovery of information and instead to keep a targeted computer either vulnerable to some unpatched security vulnerabilities or being uploaded with further backdoor/payload.
It also shows we haven’t heard the end of what this malware was capable of.
After many years of speculation that cyberwarfare could be more than just a subject for books and movies, those recent events make it very real and indicates it has in fact started for quite some time now. It begs a question though, in every wars there is collateral damage, in this war the population is everyone and every thing connected to the Internet: your computer, mine, hospitals, TV, cars, etc.
How long before we see one of those sophisticated malware missing its targets/countries/enemies and creating havoc!? Would it also be labelled as “friendly fire”?