Analisys on Flame C&C, the cyber war began long ago

Pierluigi Paganini September 18, 2012

In May Iranian Computer Emergency Response Team Coordination CenterLab,  CrySyS Lab and Kaspersky Lab have published a news regarding a new malware that has been detected and that have hit mainly Windows systems of Middle East area, specifically the Iran.

The malware was evidence of a huge ongoing cyber espionage campaign, the level of complexity and the targeted area led immediately to think of a state-sponsored operation, the various level of encryption present in the agent led Kaspersky team to seek help from experts cryptographers.

The investigation conducted by Kaspersky team demonstrated a link between Stuxnet and Flame, confirming the hypothesis that the groups of developers of the projects had the opportunity to collaborate and the creation of the detected Flame.

The team of Kaspersky has joined the Symantec, ITU-IMPACT and CERT-Bund/BSI to perform further analysis on the powerful cyber espionage tools detected.

An accurate forensic analysis of the command & control servers revealed an additional three unidentified pieces of malware under the control of the attackers, but the alarming discovery is related to an alleged agent still in the wild.

Another surprising revelation is the dating of the first use of Flame, initially thought to have begun in 2010, that appeared to be 2006.

The C&C servers discovered were owned by a European company with data centers in another European Union country.

The group of security analysts gets a server image which was an OpenVZ file-system container, an operating system-level virtualization technology based on the Linux kernel and operating system.

OpenVZ allows a physical server to run multiple isolated operating system instances but it made forensic analysis difficult.

The study demonstrated that the authors of malware have intentionally tried to cover tracks of their operations providing fake clues to disorient the analysts, for example, the C&C servers presents an elementary structure and look and feel to give the impression that it had been prepared by script kiddies, equipped with a simple and anomalous botnet control panel.

The bots don’t receive in fact the command directly by the console but attackers uploaded special crafted tar.gz archives containing scripts that were processed by the server.

The server extracted script from the archive looking for *.news and *.ad files located in specific directories, priority and target client ID were stored in the filename uploaded to a C&C server with the following convention

<random_number>_<user_type>_<user_id>_<priority>.<file extension>

Going deep in the code analysis the researchers discovered that C&C server was able to use different communication protocol probably used to “converse” with different clients. The protocol discovered are named:

  • OldProtocol
  • OldProtocolE
  • SignupProtocol
  • RedProtocol (mentioned but not implemented)

Four protocol dedicated to four different types of malware SP, SPE, FL and IP where FL stands for Flame and according to the code analyzed the remaining clients are similar agents.

If Flame has been detected what’s about the remaining agents?

Redirecting the Botnet traffic to a “sinkhole,” to oversee traffic from infected machines and prevent further distribution of malware and scams the researchers have distinguished two different streams of data respectively related to Flame and to another the SPE malware client demonstrating that it is operating in the wild.

The security experts have provided interesting data on the traffic directed to the C&C server, starting on March 25th, during a week, 5377 unique IP addresses connected to the server located in Europe, 3700 connections were originated from Iran and around 1280 from the Sudan.

Less than 100 connections were made from other countries such as the United States, Germany, and India, region targeted and a number of infection related to specific countries gives an indication of a state-sponsored intelligence operation conducted against Iran and Sudan.

According to Alexander Gostev, chief security expert at Kaspersky Lab, it has been discovered a cyber espionage campaign conducted on large scale.

One of the most valuable traces left by the 4 developers in the scripts were their nicknames and internal timestamps, the earliest of which is dated Dec. 3, 2006.

Singular that one of the developers has worked on a majority of the files demonstrating the great experience, maybe the developer was the team leader according to the report.

“He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms. We think [developer] was most likely a team lead,”

states the study

Other interesting info discovered from the analysis of the C&C servers are the last modification date that is May 18th and the presence of an automated scripts used to delete log files and disable logging function. The researchers have found a shred tool also used by the Duqu team was used to wipe information and also some scripts that downloaded new data and removed old data every 30 minutes.

The analysis of the security experts revealed that the projects started earlier than 2010 contrary to when believed, highlighting the great complexity of the encryption used, the gathered information by malware, in fact, are encrypted on the server and only the attackers can read.

Flame was just a part of a state-sponsored project, it’s quite possible that similar projects are still ongoing and what is singular in my opinion is the ability to remain hidden during a long period, characteristics that make these agents really dangerous .. the cyber war began long ago.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Flame, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment