Forensic analysis of a number of Flame malware toolkit
command-and-control servers revealed an additional three unidentified
pieces of malicious code are under the control of the attackers,
including one in the wild. Researchers at Kaspersky Lab, Symantec,
CERT-Bund/BSI, and the International Telecommunication Union's Impact
Alliance said today they also pinpointed the first work done on the Flame espionage campaign was carried out in 2006, much earlier than the 2010 date development was initially thought to have begun.
In June, Kaspersky Lab reported they'd found a definitive connection between Flame and Stuxnet; researchers said the unidentified malware reported today has no connection to either Stuxnet or Gauss, another nation-state threat discovered by Kaspersky last month.
Analysis
also determined at least four programmers are on the team behind the
attacks, each with varying levels of expertise; additional confirmation
was also made that sophisticated cryptography is being used to encrypt
data as it's sent between the victims' machines and the C&C servers.
The C&C code also handles three communications protocols, and
researchers saw evidence of a fourth under development.
Alexander Gostev, chief security expert at Kaspersky
Lab, called the discoveries examples of cyber espionage conducted on a
massive scale.
The attackers, researchers said, spent significant
resources covering their tracks and disguising the project from hosting
providers. The C&C platform used by Flame was made to look like an
ordinary content management system and unlike most botnet control panels
that rely on labels such as malware command and infection, these
attackers used common terms such as data, download, client, news, blog,
ads and more. Also, the C&C panel was not set up to send commands to
the victim, instead, the attackers uploaded special tar.gz archives and
scripts were processed by the server that extracted the archive
contents. The script also encrypted all the files received from a zombie
machine using Blowfish, and the Blowfish key is then encrypted. No one
other than the attacker would have the private key to decrypt the files.
Communication
was carried out over four protocols: OldProtocol; OldProtocolE;
SignupProtocol; and RedProtocol (under development). Four different
types of malware clients were revealed: SP, SPE, FL and IP. FL,
researchers determined, is Flame and concluded the three remaining
client names are similar malware tools. The researchers used a
sinkhole--the networking equivalent of a honeypot--to catalog
connections into two categories, those coming from Flame and another set
from the SPE malware client, confirming that one in the wild as well.
For
one week, starting March 25, 5,377 unique IP addresses connected to a
C&C server owned by a European country with data centers in another
EU country. More than 3,700 connections were made from Iran, another
1,280 from the Sudan. Researchers deduced this was a targeted campaign
against these two nations since no large amount of activity had been
detected originating from the Sudan in particular before. Less than 100
connections were made from each of the United States, Germany, India,
Pakistan, the United Kingdom and several other countries, most from the
Middle East.
The server had limited functionality and infected
machines supported few commands, including some that would fetch updates
and new Flame modules, some storage commands and some directory
commands. Researchers also found that the four respective developers
left their nicknames and timestamps in the scripts; the earliest
timestamp being Dec. 3, 2006. One developer in particular worked on a
majority of the files and seemed to be the more experienced of the four.
"He coded some very smart patches and implemented complex logics; in
addition, he seems to be a master of encryption algorithms. We think
[developer] was most likely a team lead," the report said.
The
C&C server was running a 64-bit version of the Debian operation
system; researchers got a server image which was an OpenVZ file-system
container. Most of the code was written in PHP; some Python and bash was
used. All data was stored on a MySQL database with InnoDB tables. The
Web server was Apache 2.x with self-signed certificates. The last
modification to the C&C server was made May 18.
The forensics
also found automated scripts that would wipe log files and disable
further logging. Researchers also found the chkconfig tool present, a
Debian version of a popular Red Hat tool RedHatCentOS found in Duqu. A
shred tool also used by the Duqu team was used here to wipe information.
Other scripts were found that downloaded new data and removed old data
every 30 minutes.
No comments:
Post a Comment