There have been many who have spoken about Cyber-war and Cyber-warfare. Stuxnet provided us with a sneak preview of what a cyber weapon really is – their devastating effect in the real-world. Stuxnet, fiddled around with the SCADA devices present inside nuclear reactors and shocked the world by its destructive payload.
Access to Information is critical in such instances; it helps you in understanding the ground reality and adapt to the ever changing scenario.
For Cyber-War to be successful – espionage is the most critical component and that is where the latest threat – Flame comes into picture.
For past few days everyone is worried about Flame, the sheer size of the binaries have rocked quite a few. Though the number of infections is less than 5000 systems (like a drop of water in the ocean) and most of the infections are in Middle-East but the reasons why I chose to write about Flame has been summarized below.
Upon analyzing the various components of FLAME we have reached the conclusion that FLAME is the Framework for CyberWar.
Its only objective is to gather intelligence i.e. data . Usernames, password hashes, url-cache, network drives, Cached passwords, Bluetooth devices, Instant Messenger traffic, Browser traffic et al. And it also comes with its own SQLLite database. Due to its modular structure, the possibility of Flame being used as a destructive cyber weapon cannot be ruled out.
One component of this framework which caught our attention was usage of the wave-audio APIs. These APIs are used to record conversations and digitally store them. The system microphone is enabled and conversations are recorded in real-time and uploaded on to a C&C server. So, why would anyone be interested in listening to conversations of others? We assume, this is a selective process.
This proves that not only is Flame an espionage tool but it is being used to target specific individuals. Which individuals? My best guesstimate would be – those, whose decisions matter the most – for the governance of a nation or that of a huge corporation.
Judging from the functionality provided by Flame, we believe that, the data which has been siphoned off is analyzed with human intervention and the decision to further investigate the “asset” is taken. Asset in this case is the victim and “Investigation” is related to adding/removing payloads into/from the infected system and also the selection of next target is decided.
Such a task can only be achieved by powerful nations or by corporations who are well funded and have large stakes invested.
Spear Phishing, USB and Insider Threat cannot be ruled out as a possible method of initiating the infection.
Flame proposes a new standard in the world of espionage and cyber warfare and in coming years we shall come across many such instances wherein tailor-made malwares are detected.
Escan users need not worry as Flame components and binaries are being detected by our MWAV tool as Trojan.Flame.A , Trojan.Flame.B and Trojan.Generic
One surprising factor comes into the foray from the detection is that some of the components have been picked up from other malwares and have been integrated into Flame.
Overall, there still remains a gray area in detection of newer Malwares / Trojans.
Are we at eScan doing anything to address this gray area? Yes we are.