Counterpoint to F-Secure: Flame is Still Lame

Monday, June 18, 2012

J. Oquendo


Mikko and the team over at F-Secure posted an interesting document that raised my eyebrow for a moment until reality sunk right back in.

Personally, I respect Mikko and I try to read the F-Secure blog at least once a week. There is something I would like to point out if I haven't done so already: "Seeing isn't always believing."

With that said I am going to take the time to counter F-Secure's statements surrounding Flame:




1. Flame has a keylogger and a screengrabber

  • "They naysayers are unimpressed. "We've seen that before. Flame is lame."

This is bulky! Hellishly so. Many malware strains such as Qakbot can capture enough information via keystroke logging that it renders a screenshot obsolete. How about we go a step further?

Other worms are rewriting browser sessions. This (for anyone who is unaware) means whomever is behind a C&C, can rewrite back to an infected machine making the user see whatever one wants. This would be more beneficial for any intel based gathering as data can be modified to make an end user prod deeper into a resource.

This was rampant with the financial strains of malware where browser information was changed making the end user believe they had N amount of dollars in their account, while the attackers dripped their accounts dry. Same could be applied from an intelligence gathering perspective.

An attacker could modify data an end user is requesting to make the end user dig deeper into whatever they were looking for. Makes more practical sense from an intelligence perspective. Surely if I could think about this, an intel agency can do the same.

2. Flame has built-in SSH, SSL and LUA libraries

  • "Bloated. Slow. Flame is still lame."

This is bloated. It introduces more files on the system. Most high end machines have checksumming applications such as Tripwire on them. Modifications made to applications and files generate alerts notifying an administrator that an anomalous event has occurred.

If the purpose is to be covert about the situation, the less files placed on the system the better. Microsoft and most other operating systems have enough resources immediately installed. No need to reinstall anything in order to achieve the same goal.

3. Flame searches for all Office documents, PDF files, Autodesk files and text files on the local drives and on network drives. As there would easily be too much information to steal, it uses IFilters to extract text excerpts from the documents. These are stored in a local SQLLite database and sent to the malware operators. This way they can instruct the malware to hone in on the really interesting material.

  • "Flame is lame"

Most malware performs these same capabilities. They search documents of all types on a system and search for bank account and credit card information. I will offer the blackmail theory at the end of this document.

4. Flame can turn on the microphone of the infected computer to record discussions spoken near the machine. These discussions are saved as audio files and sent back to the malware operators.

  • "Flame is lame, lol"

Most RATs do this as is. There is nothing spectacular about this. Many attack testing tools also perform the same function. Immunity Security's Canvas can do this.

5. Flame searches the infected computer and the network for image files taken with digital cameras. It extracts the GPS location from these images and sends it back to the malware operators.

  • "Still, Flame is lame"

Nothing spectacular here. Data is data. My blackmail theory will offer an explanation.

6. Flame checks if there are any mobile phones paired via Bluetooth to the infected computer. If so, it connects to the phone (iPhone, Android, Nokia etc), collects the Address Book from the phone and sends it to the malware operators.

  • "Flame is still lame, kind of."

This is sort of peculiar however, no smoking gun. Last year we saw Nicispy which performed even more hardcore functions. It would record a conversation on the phone and send it out. It did not need USB pairing. The fact that a machine is looking for phones in close proximity albeit cool is lacking. For example, had I to work on a program for government, I would have targeted getting Call Detail Records (who was called, who called) as well as stored data on the phone.

A contact list doesn't do much considering today's explosion of bar code readers and phones. Everyone is scanning a lot of barcodes which means, phone books can be filled with junk. Information on who called and who was called would seem more valuable for a government operation with the rest of the information being worthless bandwidth.

7. The stolen info is sent out by infecting USB sticks that are used in an infected machine and copying an encrypted SQLLite database to the sticks, to be sent when they are used outside of the closed environment. This way data can be exfiltrated even from a high-security environment with no network connectivity.

  • "Agent.BTZ did something like this already in 2008. Flame is lame."

F-Secure answered this on their own. Nothing to see here move along...

8. When Flame was now finally caught, the attackers have been busy destroying all evidence and actively removing the infections from the affected machines.

  • "Doesn't prove anything. Lame."

The reality is, it doesn't prove anything. Many criminal organizations erase their tracks which makes perfect sense. To create something like Flame (bloated, intricate) would be masterful for any criminal organization. To have it leaked while it was in its infancy stage would be work lost. Why not erase it.

9. Latest research proves that Flame is indeed linked to Stuxnet. And just one week after Flame was discovered, US Government admitted that they had developed Stuxnet together with the Israeli Armed Forces.

  • "You're just trying to hype it up. Still lame."

Name me one crime framework that doesn't borrow from another. In my article "Flame - dissecting through media and SME hype", I documented the code association. It is very weak. Especially when dealing with government organizations.

Gov organizations are masters at deception which means any government could inject any kind of code to point fingers at anyone else. In fact, crime organizations can inject code to point back at governments.

10. Flame creates a local proxy which it uses to intercept traffic to Microsoft Update. This is used to spread Flame to other machines in a local area network.

  • "Lame. Even if other computers would receive such a bogus update, they wouldn't accept it as it wouldn't be signed by Microsoft".
  • "The fake update was signed with a certificate linking up to Microsoft root, as the attackers found a way to repurpose Microsoft Terminal Server license certificates. Even this wasn't enough to spoof newer Windows versions, so they did some cutting-edge cryptographic research and came up with a completely new way to create hash collisions, enabling them to spoof the certificate. They still needed a supercomputer though. And they've been doing this silently since 2010."

Really? This has been documented six ways from Sunday via crypto and security mailing lists. We are talking about problems that are over a dozen years old. Not to mention I on my machine right now samples that have all sorts of stolen certificates on them.

The proxy trick is not that interesting. It may be interesting for those in the non-technological realm, but there are plenty of us signing along to Shania Twain: "Don't impress me much."

Now that I have offered a counterpoint to F-Secure, I would like to paint a scenario for you. Imagine you are a covert assassin, let's say a Ninja. You go through the painstaking task of developing a plan, ensuring you execute this plan with precision. You are undetected, have managed to get into the castle. Once in the castle, having managed to bypass all forms of security mechanisms, you place bubble wrap on your feet to start walking around.

Theorizing that "well it takes a phone's contact list..." does not constitute government involvement. Too many either forget or don't know that there are easier methods to accomplish this without raising a red flag OUTSIDE of the compromised network: "In the Greek telephone tapping case 2004-2005 more than 100 mobile phone numbers belonging mostly to members of the Greek government, including the Prime Minister of Greece, and top-ranking civil servants were found to have been illegally tapped for a period of at least one year." [1]

All the theories of "well it does this and this and this and that" does not constitute it to be a gov operation. Besides isn't it also theorized that "circuits are tapped," "the wires are tapped (ECHELON)", and all other sorts of unproven theories. I for one am all for proving things beyond a reasonable doubt. Otherwise, accusations without true merit can lead to serious consequences.

The Blackmail Theory

Imagine you are a high ranking politician and some of your activities have not been morally sound. Perhaps you fiddled around outside of your marriage, or perhaps you accepted a gift you know would have you thrown out of office. If snooped on, you would be extorted.

Would you: a) call it a day, admit your guilt, call it a day and leave office b) pay someone whatever they wanted as long as they shut up c) call a law enforcement agency and let them know that you committed a crime and are now being extorted d) do nothing. I can tell you that many would likely choose b. Choice A would leave you forever damaged and money would likely run out quick. Choice C would likely reflect choice A along with jail time. Choice D would likely have the same ripple effects as A, C and D.

Too many experts that tout: "there is a lot of money invested by whomever made this piece of malware" are overlooking the fact that these groups make BILLIONS of dollars a year. We have seen the blackmail and ransom theory come true [2] in the past. Whether or not most are paid are unknown. Logic dictates if someone has valid enough dirt, I doubt the blackmail will be reported.

"Shaileshkumar P. Jain, along with his co-conspirator, Bjorn Daniel Sundin, is wanted for his alleged involvement in an international cybercrime scheme... resulting in consumer loss of more than $100 million." [3] Do you think someone like this would spend say, $50,000.00 in hopes of trying to earn a couple of million?

When we went to war with Iraq, we did so based off of information obtained by waterboarding. Quote: "CHENEY: When we get into the whole area of one of the most controversial techniques, waterboarding. ... Khalid Sheik Mohammad and it produced phenomenal results for us." The reality of this was, KSM told us what we wanted to hear. The same parallels cyber.

Too many SME's continue to believe their own interpretations of information without having concrete information to support their claims. Some may be telling industries (government and media) what they want to hear. I ask: Should we risk another incident with another country off of half-baked information?

I would like to believe that most governments have enough of a clue to avoid walking into a house like a Ninja only to bubble wrap their feet. History has shown us that they do. Does this make them innocent with regards to Flame or Stuxnet, not really, but yields more questions that don't quite add up. One can throw any theory they would like into the mix, mine is one that makes more logical sense to me because I have seen (Flame, Stuxnet) this sort of thing before and it is not impressive.

I am thinking outside of the usual herding instinct and not trying to prop up sales of an application or a service. However, if I had to, I would gladly state the opposite - it was a government - if my livelihood depended on it.

After all, we are not really talking about security or securing a nation or individual, we are talking dollars and cents. Compromising a machine or infrastructure can and will never lead to a submission in a war.



Cross-posted from Infiltrated

Possibly Related Articles:
Viruses & Malware
Information Security
malware Cyberwar Stuxnet Analysis F-Secure Exfiltration Mikko Hypponen Cyber Espionage Flame W32.Flamer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.