The operators behind Flame, the highly advanced espionage malware that targeted Iran, began their campaign no later than 2006 and supported three other pieces of malicious software, one of which is still circulating on the Internet, researchers said.
The revelations are the result of a forensic investigation of control servers used to help execute the Flame operation. They show the state-sponsored campaign was even more far-reaching than previously believed. The servers were disguised as publishing platforms running a fictitious content management application called Newsforyou and were programmed to destroy hard-drive data to prevent the espionage from ever coming to light. They also used strong cryptography to prevent lower-level operators from controlling infected computers or viewing the contents of data that was extracted from them.
A series of administrative errors left some of the data intact, allowing researchers to extract new evidence that further underscores the sophistication and magnitude of the operation. Key among the undeleted data is the names or code names of four of the people who developed code for the platforms, some as early as 2006. Previous research pegged the start date no later than 2008.
Separately, the recovered data showed that a single server, which was set up on March 25, managed to siphon almost six gigabytes worth of data from its targets in just eight days. Combined with evidence suggesting it was only one of many almost identical servers run by the same group, researchers say they believe the number of Flame victims alone likely exceeded 10,000. The total amount of data they lost is almost incomprehensible.
"That's pretty staggering," said Vikram Thakur, a researcher with Symantec Security Response, referring to the 5.5 gigabytes of data collected by one of two servers he analyzed. "If the attackers actually continued their operations in a similar manner or with high frequency over the past five years they probably have terabytes of information collected from pretty much whoever they chose. That's a lot of information that they could make use of. That would be every target's life history a few times over." The Symantec report he helped prepare is here.
The joint investigation by researchers from Symantec and competing antivirus provider Kaspersky Lab analyzed disk images of two or more command and control servers, at least one of which was owned by an unidentified European company with data centers located in another European Union country. Compared with most control panels used to manage large armies of infected computers, the Newsforyou interface was so sparse that it appeared to be in an early, "alpha" stage of development. But it turned out the absence of overt features for infecting or conducting other botnet-related activities was an attempt to conceal its activities.
"The C&C developers didn't use professional terms such as bot, botnet, infection, malware-command, or anything related in their control panel," a report published on Monday by Kaspersky Lab explained. "Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting-company sys-admins who might run unexpected checks."
Kaspersky researchers' reached that assessment after they dissected logs that showed how the back-end server software securely communicated with Flame-infected computers. It used a custom-developed communications scheme dubbed Oldprotocol to upload and download data in an encrypted format that could only be decrypted by people with keys not stored on the server. This allowed the Flame operators to establish a highly regimented distinction of roles within the organization. Administrators could set up and maintain servers, but they had no control over what updates were pushed to infected clients or access to the sensitive data that was collected from them.
As a result, attack operators could download stolen data in encrypted form, but only offline attack coordinators with encryption keys had the ability to decrypt and analyze the data.
The OldProtocol scheme used for Flame, it turns out, is only one of four communications protocols supported with the Newsforyou software, researchers from both AV companies said. Separate protocols dubbed OldProtocolE, SignupProtocol, and RedProtocol were designed to interact with substantially different pieces of malware that have yet to be identified. Significantly, so-called "sinkhole" servers deployed by Kaspersky to intercept connections from Flame-infected computers have received connections from machines compromised by a completely different malware they've dubbed "SPE" that works with the OldProtocolE scheme.
"Therefore, we can confirm the malware known as 'SPE' exists and is currently in-the-wild," Kaspersky researchers wrote. They also found that the RedProtocol had not yet implemented, an indication that the capabilities of the back-end system were continuing to evolve as recently as May, when one of the control servers was deployed. Little is known about the remaining SignupProtocol, other than it appeared to work with a little-known client dubbed IP.
Botched Suicide Mission
One of the two servers analyzed by Symantec was deployed on May 14, two weeks before the discovery of Flame became public. Unlike the command channel from March, it hosted a new Flame module dubbed "SHREDER" that, as previously reported, instructed Flame-infected computers to remove all traces of the malware. Thakur, the Symantec researcher, told Ars he believes the server was deployed after Flame actors were racing the clock shortly after learning their operation had become public. In their hurry, Thakur believes they made crucial mistakes that left key evidence leading to these latest discoveries.
"On the server which was operating in May, we know that the operators and people behind that server were in a big rush, such a big rush that they didn't set up the server properly," he explained. "It just goes to show that these people were totally human and prone to errors."
Other control servers also appear to have made critical mistakes. The Newsforyou application executed a script every two minutes that moved any newly collected data to an encrypted archive folder, where it could be accessed by senior members of the operation. It also regularly called a python-based script that was supposed to permanently remove all temporary files on the server to prevent any forensic examiners from extracting clues about these activities. But because of a typo, the Eraser.py file never executed. The folder name included in a script that called the file pointed to a directory called "pycleaner," while the file's location was in a directory called "pycleanscr." The operators made other critical mistakes, such as failing to destroy a bash history file that showed Unix-based commands the administrators issued.
As a result, the server set up in March contained clues showing the almost six gigabytes worth of data it had downloaded from Flame-infected computers. What's more, it showed those victims used 5,377 unique IP addresses—3,702 of which were located in Iran, 1,280 in Sudan and the remainder scattered across 13 other countries.
The source code also exposes the names or nick names of four of the developers who wrote and maintained the server code over the years. To prevent interfering with any investigations that may be in progress, Symantec's Thakur said the names were being publicly identified only as "D***," "H*****," "O******," and "R***." The code itself is well-written and amply commented, although one comment that misspells the word "variable" suggests one or more of the developers may have been prone to typos.
Within days or weeks of the discovery of Flame, researchers determined it could only have been spawned by a technically sophisticated team that had the backing of a wealthy nation-state. The complexity of the code itself is one clue, while its novel execution of a rare collision attack on a cryptographic hash to hijack Microsoft's Windows Update mechanism is another. Researchers have also found an identical chunk of attack code was shared between Flame and Stuxnet, the sophisticated worm reportedly unleashed by the US and Israel to disrupt Iran's nuclear program.
The analysis of the control servers only reinforces the conclusion. Proof showing its command server required people with different levels of trust to carry out various jobs depending on their level of sensitivity is consistent with a large, highly structured operation. The fact that work on Flame began no later than 2006 and the operators developed separate malware further suggests a group with almost limitless resources.
As the Kaspersky report concludes: "These features are not normally found in malware created by everyday cyber-criminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack."
Story updated to add details about names.
Listing image by milintoc
reader comments
28