Analisys on Flame C&C, the cyber war began long ago

In May Iranian Computer Emergency Response Team Coordination CenterLab,  CrySyS Lab and Kaspersky Lab have published a news regarding a new malware that has been detected and that have hit mainly Windows systems of Middle East area, specifically the Iran.

The malware was evidence of a huge ongoing cyber espionage campaign, the level of complexity and the targeted area led immediately to think of a state-sponsored operation, the various level of encryption present in the agent led Kaspersky team to seek help from experts cryptographers.

The investigation conducted by Kaspersky team demonstrated a link between Stuxnet and Flame, confirming the hypothesis that the groups of developers of the projects had the opportunity to collaborate and the creation of the detected Flame.

The team of Kaspersky has joined the Symantec, ITU-IMPACT and CERT-Bund/BSI to perform further analysis on the powerful cyber espionage tools detected.

An accurate forensic analysis of the command & control servers revealed an additional three unidentified pieces of malware under the control of the attackers, but the alarming discovery is related to an alleged agent still in the wild.

Another surprising revelation is the dating of the first use of Flame, initially thought to have begun in 2010, that appeared to be 2006.

The C&C servers discovered were owned by a European company with data centers in another European Union country.

The group of security analysts gets a server image which was an OpenVZ file-system container, an operating system-level virtualization technology based on the Linux kernel and operating system.

OpenVZ allows a physical server to run multiple isolated operating system instances but it made forensic analysis difficult.

The study demonstrated that the authors of malware have intentionally tried to cover tracks of their operations providing fake clues to disorient the analysts, for example, the C&C servers presents an elementary structure and look and feel to give the impression that it had been prepared by script kiddies, equipped with a simple and anomalous botnet control panel.

The bots don’t receive in fact the command directly by the console but attackers uploaded special crafted tar.gz archives containing scripts that were processed by the server.

The server extracted script from the archive looking for *.news and *.ad files located in specific directories, priority and target client ID were stored in the filename uploaded to a C&C server with the following convention

<random_number>_<user_type>_<user_id>_<priority>.<file extension>

Going deep in the code analysis the researchers discovered that C&C server was able to use different communication protocol probably used to “converse” with different clients. The protocol discovered are named:

  • OldProtocol
  • OldProtocolE
  • SignupProtocol
  • RedProtocol (mentioned but not implemented)

Four protocol dedicated to four different types of malware SP, SPE, FL and IP where FL stands for Flame and according to the code analyzed the remaining clients are similar agents.

If Flame has been detected what’s about the remaining agents?

Redirecting the Botnet traffic to a “sinkhole,” to oversee traffic from infected machines and prevent further distribution of malware and scams the researchers have distinguished two different streams of data respectively related to Flame and to another the SPE malware client demonstrating that it is operating in the wild.

The security experts have provided interesting data on the traffic directed to the C&C server, starting on March 25th, during a week, 5377 unique IP addresses connected to the server located in Europe, 3700 connections were originated from Iran and around 1280 from the Sudan.

Less than 100 connections were made from other countries such as the United States, Germany, and India, region targeted and a number of infection related to specific countries gives an indication of a state-sponsored intelligence operation conducted against Iran and Sudan.

According to Alexander Gostev, chief security expert at Kaspersky Lab, it has been discovered a cyber espionage campaign conducted on large scale.

One of the most valuable traces left by the 4 developers in the scripts were their nicknames and internal timestamps, the earliest of which is dated Dec. 3, 2006.

Singular that one of the developers has worked on a majority of the files demonstrating the great experience, maybe the developer was the team leader according to the report.

“He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms. We think [developer] was most likely a team lead,”

states the study

Other interesting info discovered from the analysis of the C&C servers are the last modification date that is May 18th and the presence of an automated scripts used to delete log files and disable logging function. The researchers have found a shred tool also used by the Duqu team was used to wipe information and also some scripts that downloaded new data and removed old data every 30 minutes.

The analysis of the security experts revealed that the projects started earlier than 2010 contrary to when believed, highlighting the great complexity of the encryption used, the gathered information by malware, in fact, are encrypted on the server and only the attackers can read.

Flame was just a part of a state-sponsored project, it’s quite possible that similar projects are still ongoing and what is singular in my opinion is the ability to remain hidden during a long period, characteristics that make these agents really dangerous .. the cyber war began long ago.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Flame, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.