Where Are We and Where Are We Going 6: Case Flame

At the end of the keynote, Mikko Hypponen presents his in-depth research into the Flame case, specifying the mechanisms and techniques applied by the virus.

Mikko’s fun image on the subject

Mikko’s fun image on the subject

I wanted to find some image about flame or fire, or something that would nicely fit into all the talk, and the best image I could find was this. That’s solid advice, keep that in mind. If there’s a fire here, first go to the outside, then tweet, not the other way around.

Main files initially found to be associated with the infection

Main files initially found to be associated with the infection

So I was contacted 3 weeks ago by Iran, I got an email from the Iranian CERT explaining that they had this weird problem and now they’re reaching out to Western security companies. And this is not normal, we don’t normally get emails from Iran, we don’t have much of a customer base there at all. And as we now know, most of the infectious were in Iran or in Sudan, or Syria, or Libya, or other Middle-Eastern countries, and even there the amounts of infections were very small – we’re talking about a few hundred computers in the whole world, very-very targeted. That’s the actual main files we initially found (see image to the top left), we found more since then; it’s sort of like a puzzle where we’re missing some of the pieces.

Odd certificates used by Flame

Odd certificates used by Flame

But what do we know about it? Well, we know it’s highly unique, we know it’s using weird certificates, we know they connect to a series of websites – these are the control servers, and many of these have been named so that if the admin is looking at firewall logs and he sees a machine connecting to nvidiadrivers.info or something like that, they would think it’s just some updates server. It’s not. These are the servers used for traffic by Flame.

Discovered facts on the Flame virus

Discovered facts on the Flame virus

So we know it’s huge, but that by itself means nothing, right? It is big, and almost all of it is code, 10 Megabytes or so. It has a keylogger, so it collects your passwords, takes screenshots of your screen – that’s not really unusual; than it has 80 libraries for SSH, SSL and LUA, and SQLite. It has an SQLite database built in, which we have never seen before in any malware, and it uses that to collect documents. It goes through your local hard drive, through your Dropbox shares and through the local area network; and in a typical organization, from the local area network it would find tens of thousands of documents like .doc, .xls, .ppt and AutoCAD files – it also searches for AutoCAD. So it couldn’t possibly steal them all, there’s way too much in a typical network. So instead, it has this system called iFilter, which goes through the files and takes excerpts, like a couple of sentences for each, one sheet from each Excel file, and puts them into a local SQLite database and then sends it out through this nvidiadrivers.info and other services.

And then the attackers can look at the data which was collected, and pinpoint: that is interesting, take this file and that file; collect more files like this. It’s sort of a back and forth service, very interesting.

It also looks through your .jpeg files and gets the GPS coordinates form every single .jpeg file on your hard drive and in the network, so it knows where the people are moving and where they are taking photos. Then it sees if there are any phones paired or bluetoothed to the infected Windows computer. If there is a phone, it will connect to the phone over Bluetooth (it supports iPhone, Android and Nokia), and then it collects the address book from the phone over Bluetooth, puts it into the local SQLite database and sends it out.

One sample of Stuxnet from 2009 has one module which is from Flame, so we know it’s the same guys.

And it’s able to send out information even if it’s a highly secured environment and there is no Internet connectivity. It does this by infecting USB sticks that are used in the computers, and copying the SQLite database on those USB sticks. So when that USB stick is taken out from the computer and somebody brings it home or takes it to a customer and puts it into a computer which does have Internet connectivity, then it’s going to send out the information, and even better – it gets back the instructions from the operators and puts them back on the USB sticks which are then brought back to the network, so they can still pinpoint the data collection even if there’s still no Internet connectivity, even if it’s a high-security, let’s say, military network.

Now, we know it’s connected to Stuxnet, because one sample of Stuxnet from 2009 has one module which is from Flame, so we know it’s the same guys, which means we know it’s the Americans, maybe with the Israelis. And then we learned that it replicated within the local area network by spoofing Microsoft Updates. It does this by repurposing a Microsoft Terminal Server License certificate, which would be enough to get it working under XP, but not enough to get it working under Vista and Windows 7.

So they actually took the certificate, dropped some critical extensions from this certificate, which means the certificate was now invalid, it didn’t match the certificate linked back to Microsoft root, so they forged it by giving it the same MD5 hash as the original certificate, which is impossible, except it isn’t if you do the MD5 hash collision, and MD5 hash collisions are a known attack, except they didn’t use the known attack, they came up with a completely new novel way of doing it, which had never been seen before.

And if you look at the mailing list of cryptographic experts, they’re also excited: “Oh my God, somebody found this really cool way, this is going to advance our science by years, it’s excellent!” And you’re sort of wondering who in the world has expertise like this. And even if they came up with a novel way of doing this MD5 hash collision, they still would require a supercomputer to actually do it, and they would still have to do it with a time window of 1 millisecond.

Northrop Grumman press release

Northrop Grumman press release

So I’ll just summarize that by pinpointing this press release from June, 11th, that’s 2 weeks ago. This is Northrop Grumman, one of the largest defense contractors in the world; I think the second largest in the United States.

These guys: Northrop Grumman, Booz Allen Hamilton, Boeing, SAIC – they all work heavily with the U.S. government, with the U.S. military, with the U.S. intelligence. And this press release from June, 11th mentions that they’ve just been awarded a multimillion dollar contract for cyber security services with an organization called Maryland Procurement Office.

Well, I’ve never heard of this organization before. Maryland Procurement Office, they procure stuff in Maryland. I wonder who these guys are for real. Googling them gives us their address. If you take a closer look where exactly that is, you’ll see that Maryland Procurement Office shares the office with NSA.

So I’ll repeat: nuclear physics lost its innocence in 1945, computer science lost its innocence 3 years ago.

Thank you very much!

Read previous: Where Are We and Where Are We Going 5: Governmental Attacks and Backstage Stuxnet Facts

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: