Information about the Flame virus have been published in the the last few days of May 2012. This discovery has been made two years after Stuxnet (June 2010) and less than a year after Duqu (Sept. 2011). Despite the fact that those three virus have different objectives, they have in common their complexity and the fact that they have been probably developed by people with “unlimited” resources. So where are we now? Is this cyberwar? or this is the natural evolution of cyber criminal?
What is Flame? How does it work?
Easy question, but difficult answer! In short Flame is a little bit of everything. The best way to describe it to use the term “attack toolkit”. It’s a toolkit because it’s modular approach allow him to become a backdoor, a worm, it can also perform various malicious activities such as key logger, network sniffing, listening to audio interface, steal information, enable Bluetooth and scan other devices, etc. In short it can do more or less everything a hacker will dream of. Also, based on the experience of the security industry with Stuxnet everybody was expecting several Zero-Day attacks. There is actually no evidence of such type of attack in Flame. Especially there is still some questions about the initial infection vector. However Kaspersky has observed that a fully patched Windows 7 was still being infected, raising more suspicion about a zero day attack. Further analysis highlight a different story…
(Note: You can find more technical details via the excellent “Questions and Answers” from Kaspersky.)
The MITM attack that every hacker dreams of
What might be better for a hacker than having a rogue certificate signed by Microsoft? Honestly nothing!
It seems that the Flame certificate breach is indeed now called the ‘Holy Grail’ hack
Mikko Hyponnen – Twitter
Guest what? The authors of Flame did exactly that! In fact when a machine on the same network of an infected one, try to connect to Windows Update…the traffic is redirected to the infected machine who reply with a malicious update. But wait! To do that you need a certificate signed by Microsoft so the “fake” Windows update is seen as legitimate. This is where Flame can not be classified as a “normal” virus. In fact the authors of the malware have generated a fake Microsoft certificate using an unknown collision attack in MD5. Not to say that this can only be achieved by world class scientists.
I don’t want to go into too much technical details here, if you are interested refer to the following links:
- http://www.crysys.hu/skywiper/skywiper.pdf (e.g. note that Skywiper is an other name for Flame)
So in the end is this Cyberwar or not?
There is still a lot of thing to be discovered about Flame and we can fairly assume that several other virus are already in the wild stealing information from companies, government, etc. The US Government has been recently mentioned as the author of the Stuxnet virus. Obviously there wasn’t any official confirmation but the NY Times article is pretty clear on what has happened.
(Very) Short introduction to Cyberwar
Define “Cyberwar” is somewhat difficult. Speaking of war, it’s in a way logic to see how the military defined “cyber”. For example the United Nations (UN) defines cyber as “the global system of systems of Internetted computers, communications infrastructures, online conferencing entities, databases and information utilities generally known as the Net.“…in short the Internet. Definition of war can be found in books such as the “Art of War” from 1873 (I know it sounds a bit old, but the UN don’t have a definition for war). So in the end is this real? Is cyber war really happening? I’m taking a shortcut here, but we can assume that the answer is yes. Why? Because most of the critical infrastructure (e.g. electricity, water, etc.) and most of the military equipments and strategy relied on inter-connected systems.
However there is some key differences, in particular a cyber war would rarely cause direct deaths. It could lead to major disruption in vital services such as electricity, water, economic loss or damage to property. It has also some key advantages:
- There is a lot of information available via the cyber world;
- The costs are low (compared to a “normal” war);
- Remote access is always easier than physical access;
- The risks are lower, as there is no real laws that govern the Internet.
Would Cyber Espionage be better? Yes.
So currently Flame has done any damage, except stealing information from countries such as Iran. It’s therefore difficult to categorized it as a “cyber war” virus. However the term “Cyber Espionage” is more appropriate. Even though we don’t know all the details about Flame, we can be sure that it’s goal was to steal information. It would be therefore more appropriate to call it a “Cyber Espionage virus”. This can be seen as one of the very first step in the “cyber war” strategies of some countries. In a way they are actually testing what are the true capabilities of such actions and what is the impact of such actions.
While Flame has started to self-destruct itself (yes definitely sounds like a Mission Impossible movie), we can be sure that more and more similar actions are already deployed in the wild. What would be the next steps, are we going to see an escalation and discover in a few months/years that massive cyber attacks have been used. I honestly don’t know what will happened but my guess will be that this is only the very first step of such activities.