While USB drives have long been a security threat, the Flame spying malware brought the use of portable storage devices to a new level of weaponry.
Flame, discovered last month in Iran’s oil-ministry computers, used USBports found on every PC as a pathway to avoid detection bynetwork-guarding security systems. The cleverness of Flame‘screators in keeping the malware under the radar was one more example ofwhy it is considered among the most sophisticated espionage-softwarepackages to date.
Because Flame was looking for highly sensitive data, it had to stealthe information from networks without internet connections, yet stillbe able to connect at some point to a remote command and controlserver, vendor Bitdefender saidin its security labs blog. To do that, Flame would movestolen files and a copy of itself to a memory stick inserted in aninfected computer.
When the storage device was plugged into another PC, Flame would checkto see if it was connected to the Internet and then copy itself and thestolen files to the new host, which the malware used to compress thedata and transmit it to the controller’s server over HTTPS.
Flame would not store stolen documents in the new host, unless it wassure there was an Internet connection, Bitdefender said. “This is howit ensures that it has the best chances to call back home and sendleaked data to the attacker.”
The malware hid in storage devices by naming the folder that containedthe malware and stolen data. “Because Windows could not read the name,the folder remained hidden from the user, giving he or she no reason tosuspect they were carrying stolen information,” Bitdefender said.
“The main idea behind this is something that we have not seen before:the information mule is a person who is used to carry informationbetween two systems,” Bitdefender said.
Flame was capable of infecting networked PCs, but that function wasturned off to prevent the malware from spreading too far into anetwork, thereby increasing its chances of detection. Bitdefenderacknowledged that the malware creators might also have had anaccomplice who acted as a data smuggler in carrying an infected USBdrive from one PC to another.
Hackers targeting USBs is new
The success Flame creators had in using USB memory sticks will bestudied by hackers. “The technicalities of how Flame uses the USB stickis new and shows that attackers who are determined to penetrate deepinside secure environments are using USB devices to gain that accessand to exfiltrate the data they discover too,” Liam O Murchu, managerof operations for Symantec Security Response, saidin an email Tuesday.”Flamer’s use of this USB technique shows that this is an avenue ofattack that is highly valuable and will be used again and again.”
The mode of infection was one more example of Flame’s list ofsophisticated techniques, which included fooling Microsoft TerminalServices into having its certificate authority generate fake digitalsignatures. Once embedded in the code, the signatures made Flame appearto be Microsoft software, while the malware altered and updated itscode.
Flame has been linked to the Stuxnetmalware blamed for damaginguranium-enrichment systems in Iran’s nuclear facility in 2010.Kaspersky Labs discovered that a component of Flame, which was createdin 2008, was also in the 2009-version of Stuxnet. Quoting anonymoussources in the Obama administration, The New York Times recentlyreported that Stuxnet was the creationof U.S. and Israeli government agents.
Because Flame and Stuxnet were highly targeted attacks, neither arebelieved to pose much of a threat to most corporations. Nevertheless,the vulnerabilities exposed by Flame, particularly the flaw inMicrosoft’s issuance of digital signatures, were significant. Venafi,which sells key and certificate management technology, reported thatmore than a quarter of Global 2000 companies were vulnerable toattacker using the exploit. Microsoft has released a patch forthe hole.