root@dafthack:~#‎ > ‎

Flame Malware

posted May 30, 2012, 6:33 AM by Beau Bullock   [ updated Aug 29, 2012, 6:41 AM ]

There has been a lot of media coverage the past couple days about a massive new malware that has been found infecting systems in Iran and elsewhere called “Flame”.  So far the researchers think it has been spreading for 2-8 years without AV detecting it.  It’s primary goal is to spy on the users infected computers and steal data from them, including documents, recorded conversations and keystrokes.  If the attackers want to add new functionality to the malware they added a backdoor in to Flame so they can update it.

It can turn on the microphone to listen to conversations nearby or record Skype calls.  It can turn Bluetooth-enabled computers into a Bluetooth beacon.  Once Bluetooth has been enabled the computer will scan for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder.  It has a module that stores frequent screenshots.  Every 15 seconds it will store a screenshot of the computers present desktop including any applications that are open.  It has a network sniffer that will collect any cleartext passwords or usernames being sent over the network.  In case whatever trasmissions are encrypted it also has a keylogger function.  The malware sends all of the collected information over SSL to command and control.

It tries to connect to one of about 80 command and control domains and has an updatable list in case those were taken down or abandoned.  The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the Microsoft source code that the researchers have not yet found.  The command and control also have the ability to remotely wipe all of the stolen data from the infected machine.

Allegedly it detects what AV is on the system and drops the binaries for the malware in different file formats accordingly.  So it might normally drop a .OCS file but if McAfee is on the system it uses the .TMP extension to not get scanned.  They say that Kaspersky knew about this malware for a month and didn’t add a signature to their detection software until a few days ago.

This is a great example of why anti-virus is not an absolute when it comes to fighting infections.
More information on this malware can be found at:
Written by Beau Bullock