Published on June 15, 2012 by Dennis Fisher.
What Have We Learned: Flame Malware
When the news about the Flame malware first broke several weeks ago, people from all parts of the security community, political world and elsewhere quickly began trying to figure out what the significance of the tool was and whether it represented anything new. That was difficult at the time, given the lack of data on its exact capabilities and parentage. But, with the information available to us now, it seems safe to say that Flame has changed the way that many people think about the threat landscape and the way attackers work, not just in the security community but in the political arena, as well.
What and how you think about Flame and its younger sibling Stuxnet depends largely on your position in security or political community as well as your history with these kinds of attack tools in the past. By that I don’t mean whether you’ve been hit by Stuxnet or Duqu, but rather how you experienced the drama, hype and reality surrounding those attacks. For some people, the emergence of Stuxnet was the first time they saw hard evidence of a professional attack team with nation-level resources going after high-value targets. The target in that case was the Iranian Natanz nuclear facility, which immediately raised speculation that either Israel or the United States was behind the attack.
The same was true of the sandstorm surrounding the discovery of Duqu last year. Duqu had a larger and more diffuse target list, and it wasn’t immediately obvious what it’s purpose was or who its creators might be. But as the research progressed, experts eventually came to the conclusion that Stuxnet and Duqu were created by the same team. That added an extra layer of intrigue to the whole situation, providing more evidence that there was a seriously skilled attack team at work somewhere, possibly inside the U.S.
For some people, this made perfect sense. Of course the U.S. and/or Israel is attacking Iran and Syria and other countries with these kinds of weapons. As an addition to traditional intelligence tactics, an attack like Stuxnet would be a natural. It’s virtually impossible to attribute to anyone definitively and it’s very low risk for the attacker. No people are in harm’s way and the politicians and diplomats have the safety of deniability.
For others, Stuxnet and Duqu were simply two more pieces of malware, albeit ones that happened to show up inside some interesting networks. For the people in this category, cyberwar and the idea of governments attacking each other with sophisticated tools built by teams of expert hackers were pure fiction, the stuff of B movies. This position became largely untenable with the revelation that Stuxnet used several zero-day exploits and the that whomever had built the two tools had likely invested several million dollars in their development.
Clearly, this team was not playing around.
Then there was the third group, the people who had direct experience with these kinds of attacks and tools, either on the offensive or defensive side. The kind of people who know what it takes to build a toolkit such as Stuxnet and what the use of five high-value vulnerabilities says about the makeup and resources of the team doing the development. These people mostly remained quiet about Stuxnet and Duqu, preferring to watch and learn.
But things changed rather quickly when word leaked out via a David Sanger piece in The New York Times that the U.S. and Israel actually did build Stuxnet. Then researchers said that some of the same components found in Stuxnet also are present in Flame, and that the same attackers likely built both tools. Flame is actually the oldest of the three pieces of malware and has been in circulation for at least five years, meaning that the team behind them has been operating for a long time.
So what have we learned from all of this?
First, we now know that there are a number of highly skilled offensive researchers and exploit writers out there, and not all of them work for Dave Aitel. Some of them work for the U.S. government and we have to assume that some of them work for the governments of Israel, the U.K., Russia, China and other countries, as well.
Second, we’ve learned that at least one of these teams is committing serious resources to its offensive program. One of the tactics used by Flame to spread is the use of a forged Microsoft certificate to set up a fake Windows Update proxy that installed the malware on victims’ machines. The attackers were able to generate the forged certificate in part through the use of an MD5 hash collision, a difficult attack that’s very expensive to execute, both in terms of money and resources. An analysis of the hash collision by Alex Sotirov of Trail of Bits, a researcher who helped develop the technique for this collision several years ago, showed that the team behind Flame probably spent between $200,000 and $2 million to generate the hash collision.
“Using our forensic tool, we have indeed verified that a chosen-prefix collision attack against MD5 has been used for Flame. More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant. Therefore it is not unreasonable to assume that the particular chosen-prefix collision attack variant underlying Flame had already been in development before June 2009. This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis,” Marc Stevens, a Dutch academic cryptanalyst who worked on the 2008 hash collision with Sotirov, said in analysis of the Flame technique.
In other words, this is not a lark.
And third, we have (hopefully) learned to take a little time to think and consider before making grand pronouncements about future attacks. Things are not always what they seem and sometimes the Internet is wrong.