Flame Malware Illustrates Vulnerability of USB Drives

Status
Not open for further replies.

McLovin

Level 78
Thread author
Verified
Honorary Member
Malware Hunter
Apr 17, 2011
9,228
While USB drives have long been a security threat, the Flame spying malware brought the use of portable storage devices to a new level of weaponry.

malware_virus_green_180-5227400.jpg


Flame, discovered last month in Iran's oil-ministry computers, used USB ports found on every PC as a pathway to avoid detection by network-guarding security systems. The cleverness of Flame's creators in keeping the malware under the radar was one more example of why it is considered among the most sophisticated espionage-software packages to date.

Because Flame was looking for highly sensitive data, it had to steal the information from networks without internet connections, yet still be able to connect at some point to a remote command and control server, vendor Bitdefender said in its security labs blog. To do that, Flame would move stolen files and a copy of itself to a memory stick inserted in an infected computer.

When the storage device was plugged into another PC, Flame would check to see if it was connected to the Internet and then copy itself and the stolen files to the new host, which the malware used to compress the data and transmit it to the controller's server over HTTPS.

Flame would not store stolen documents in the new host, unless it was sure there was an Internet connection, Bitdefender said. "This is how it ensures that it has the best chances to call back home and send leaked data to the attacker."

usb-drive_thumb-11358002.jpg


The malware hid in storage devices by naming the folder that contained the malware and stolen data. "Because Windows could not read the name, the folder remained hidden from the user, giving he or she no reason to suspect they were carrying stolen information," Bitdefender said.

"The main idea behind this is something that we have not seen before: the information mule is a person who is used to carry information between two systems," Bitdefender said.

Flame was capable of infecting networked PCs, but that function was turned off to prevent the malware from spreading too far into a network, thereby increasing its chances of detection. Bitdefender acknowledged that the malware creators might also have had an accomplice who acted as a data smuggler in carrying an infected USB drive from one PC to another.

Dangerous Inspiration

The success Flame creators had in using USB memory sticks will be studied by hackers. "The technicalities of how Flame uses the USB stick is new and shows that attackers who are determined to penetrate deep inside secure environments are using USB devices to gain that access and to exfiltrate the data they discover too," Liam O Murchu, manager of operations for Symantec Security Response, said in an email Tuesday. "Flamer's use of this USB technique shows that this is an avenue of attack that is highly valuable and will be used again and again."

The mode of infection was one more example of Flame's list of sophisticated techniques, which included fooling Microsoft Terminal Services into having its certificate authority generate fake digital signatures. Once embedded in the code, the signatures made Flame appear to be Microsoft software, while the malware altered and updated its code.

Flame has been linked to the Stuxnet malware blamed for damaging uranium-enrichment systems in Iran's nuclear facility in 2010. Kaspersky Labs discovered that a component of Flame, which was created in 2008, was also in the 2009-version of Stuxnet. Quoting anonymous sources in the Obama administration, The New York Times recently reported that Stuxnet was the creation of U.S. and Israeli government agents.

Because Flame and Stuxnet were highly targeted attacks, neither are believed to pose much of a threat to most corporations. Nevertheless, the vulnerabilities exposed by Flame, particularly the flaw in Microsoft's issuance of digital signatures, were significant. Venafi, which sells key and certificate management technology, reported that more than a quarter of Global 2000 companies were vulnerable to attacker using the exploit. Microsoft has released a patch for the hole.

Source
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top