Entries with tag flame.

Researchers Discover Link between Flame, Stuxnet

Kaspersky Lab researchers claim they have found evidence showing the creators of the Stuxnet, Duqu, and Flame cyberweapons cooperated at least once. The researchers found a module known as Resource 207 that appears in the Stuxnet worm and is similar to code used in the Flame malware toolkit. The finding prompted researchers to rescind their previous assertion that the two attacks were unrelated. They also determined that Flame existed originally as a platform within Stuxnet as early as 2008. Alan Woodward, a security expert and University of Surrey professor , told the BBC that the findings are interesting but do not clearly indicate the party behind the attacks. “The fact that they shared source code further suggests that it wasn’t just someone copying or reusing one bit of Stuxnet or Flame that they had found in the wild, but rather those that wrote the code passed it over,” he said. “At the very least, it suggests there are two groups capable of building this type of codeFlame, Stuxnet, Kaspersky Lab, University of Surrey but they are somehow collaborating, albeit only in a minor way.” (BBC)(Securelist – Kaspersky Lab blog)

Flame Creators Trip Self-Destruct Command

Symantec researchers report that the creators of the Flame malware toolkit issued a so-called “suicide command” earlier this week to have it remove itself from some infected computers. Symantec observed the command using honeypot computers specifically designed to observe Flame and said the command removed all Flame files, then overwrote their locations in memory with gibberish to stymie researchers investigating the infection. Symantec claims the code was written in early May. Meanwhile, in an address before a security conference in Tel Aviv, Eugene Kaspersky of Kaspersky Lab, which discovered Flame, said this sort of cyberterrorism is frightening. “It’s not cyberwar, it’s cyberterrorism, and I’m afraid it’s just the beginning of the game ... I’m afraid it will be the end of the world as we know it,” Kaspersky said. “I’m scared, believe me. … Flame is extremely complicated but I think many countries can do the same or very similar, even countries that don't have enough of the expertise at the moment. They can employ engineers or kidnap them, or employ ‘hacktivists.’” (BBC)(Computerworld)(Symantec Security Response Blog)(Reuters)
 

New Flame Discovery Stuns Security Researchers

The latest twist in the Flame cyberespionage attacks sent security experts reeling after it was discovered that the malware’s authors enabled their creation to spread by using signed digital certificates from Microsoft. “Having a Microsoft code-signing certificate is the Holy Grail of malware writers. This has now happened,” wrote F-Secure chief research officer Mikko Hypponen in a blog post. “I guess the good news is that this wasn’t done by cybercriminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.” Many security researchers think same nation-state responsible for 2010’s Stuxnet malware attacks on Iranian nuclear-processing facilities created the Flame malware toolkit. To deal with the problem, Microsoft has issued one emergency patch for all Windows versions and another to kill three rogue certificates that looked as if the company signed them. Microsoft is urging Windows users to update their systems immediately. Hackers apparently used two modules within Flame to infect fully patched Windows 7 machines via a vulnerable cryptographic algorithm in Microsoft’s Terminal Server Licensing Service. Security vendors F-Secure, OpenDNS, and Kaspersky Lab researchers are releasing new details about how Flame works. For example, OpenDNS said Flame mimics regular network traffic, thereby evading detection. (Dark Reading)(Information Week)(F-Secure)(Microsoft Security Advisory)
 

Flame Malware Authors Wanted to Steal Iranian Technical Drawings

Initial analysis of the Flame malware toolkit by Kaspersky Lab researchers shows the attackers sought technical drawings from Iran. The researchers also reported that the network went dark within an hour of the operation being made public last week but not before the authors updated infected machines. Kaspersky Labs used a technique called sinkholing to obtain its information. “Sinkholing is a procedure when we discover a malicious server—whether it is an IP address or domain name—that we can take over with the help of the authorities or the [domain] registrar,” Kaspersky senior researcher Vitaly Kamluk told the BBC. “We can redirect all the requests from the victims from infected machines to our lab server to register all these infections and log them.” This was how they determined that the attackers targeted Iran and sought AutoCAD schematics, as well as some PDF and text files. The attackers reportedly used complex false identities to carry out their plans and registered at least 86 domain names for their command-and-control infrastructure since 2008. The Kaspersky analysis shows that the command-and-control server network moved regularly and was in locations such as Germany, Hong Kong, Turkey, and the UK.  Kaspersky has not determined if Flame is related to a virus that targeted the Iranian oil ministry in April but they think it was created by the same nation-state responsible for the Stuxnet malware attacks. (Wired)(BBC)(Securelist)

Showing 4 results.