Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Recently security firm Kaspersky lab has published a new report on the sophisticated nation-state sponsored Flame cyber-espionage campaign. During the research, conducted by Kaspersky Lab in partnership with International Telecommunication Union’s cybersecurity executing arm - IMPACT, CERT-Bund/BSI and Symantec, a number of Command and Control (C&C) servers used by Flame’s creators were analyzed in detail. The analysis revealed new, groundbreaking facts about Flame. Particularly, traces of three yet undiscovered malicious programs were found, and it was discovered that the development of the Flame platform dates back to 2006.

Main findings:

• The development of Flame’s Command and Control platform started as early as December 2006.
• The C&C servers were disguised to look like a common Content Management System, to hide the true nature of the project from hosting providers or random investigations.
• The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.
• The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown.
• One of these Flame-related unknown malicious objects is currently operating in the wild.
• There were signs that the C&C platform was still under development; one communication scheme named “Red Protocol” is mentioned but not yet implemented.
• There is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

The Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Following this discovery, ITU-IMPACT acted swiftly to issue an alert to its 144 member nations accompanied with the appropriate remediation and cleaning procedures. The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation. Originally it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known domains names) shifted this date two years earlier.

The findings in this particular investigation are based on the analysis of the content retrieved from several C&C servers used by Flame. This information was recovered despite the fact that Flame’s control infrastructure went offline immediately after Kaspersky Lab disclosed the existence of malware. All servers were running the 64-bit version of the Debian operating system, virtualized using OpenVZ containers. Most of the servers’ code was written in the PHP programming language. Flame’s creators used certain measures to make the C&C server look like an ordinary Content Management System, in order to avoid attention from the hosting provider.

Sophisticated encryption methods were utilized so that no one, but the attackers, could obtain the data uploaded from infected machines. The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programs are yet to be discovered.

Another important result of the analysis is that the development of the Flame C&C platform started as early as December 2006. There are signs that the platform is still in the process of development, since a new, yet not implemented protocol called the “Red Protocol” was found on the servers. The latest modification of the servers’ code was made on May 18, 2012 by one of the programmers.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale,” commented Alexander Gostev, Chief Security Expert, Kaspersky Lab. 

Here we want to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

For detailed analysis on Flame's command and control (C&C) servers click Here

-Source (Kaspersky)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled"https://www.voiceofgreyhat.com/2012/09/Full-Analysis-of-Flame-Command-and-Control-Servers-Unraveled.html</a>

Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules

Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules

The program known as Flame has fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Now researchers have discovered another unexpected tool in its data-stealing arsenal: You.

Malware analysts at the security firm Bitdefender say they’ve found a unique capability within Flame’s code that would potentially allow it to steal data even from computers that aren’t connected to the Internet or to other networked machines. Instead of simply uploading stolen data to a remote server as traditional spyware does, Flame can also move the target information–along with a copy of itself–onto a USB memory stick plugged into an infected machine, wait for an unwitting user to plug that storage device into an Internet-connected PC, infect the networked machine, copy the target data from the USB drive to the networked computer and finally siphon it to a faraway server.

Spreading itself over an infected USB device is hardly a new trick for malware. But Bitdefender’s researchers say they’ve never before seen a cyberespionage program that can also move its stolen digital booty onto the USB stick of an oblivious user and patiently wait for the opportunity to upload it to the malware’s controllers.

“It turns users into data mules,” says Bitdefender senior malware analyst Bogdan Botezatu. “Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is is somewhat revolutionary for a piece of malware.”

Flame was designed to use the same .lnk autorun vulnerability first exploited by the NSA-built Stuxnet malware to invisibly install itself on USB devices. To hide its trove of stolen data on the user’s device, Flame copies both itself and its data to a folder labelled with a single “.” symbol, which Windows fails to interpret as a folder name and thus renders as invisible to the user. “What we have here is a little hack/exploit performed on how the operating system is interpreting file names,” Bitdefender’s researchers wrote in a blog post on Flame last week.

When an infected USB is plugged into a networked machine, Flame checks that it can contact its command and control server through that computer. Then it moves its target data off the USB to the PC, compresses it, and sends it to the remote server via HTTPS, according to Bitdefender’s analysis. The researchers found that while Flame is capable of infecting networked PCs for the purpose of exfiltrating its data, the version they analyzed had rendered that infection capability inactive, perhaps to avoid the spyware spreading too far, so that only PCs already infected with Flame would be capable of acting as gateways back to the malware controller’s server. The fact that the spyware’s infection technique was turned off may be evidence that the “data mule” in the Flame operation may in fact have been aware of his or her role as an data smuggler.

Regardless, Botezatu says Flame’s USB-piggybacking trick fits with its profile as a highly sophisticated spying tool meant to steal a target’s most protected secrets–not just another cybercriminal keylogger designed to catch credit card numbers. “Most of the infrastructure it targets is highly contained, often without Internet access,” says Botezatu. “It’s natural for Flame to have a mechanism for moving data from one environment to another that doesn’t rely on Internet or network communications.” For additional details can be found here

-Source (Forbes)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules"https://www.voiceofgreyhat.com/2012/06/flame-super-spy-even-on-offline.html</a>

USA Accused For Planting "Flame" Malware to Hack France President's Network

USA Accused For Planting "Flame" Malware to Hack France President's Network

A well known French newspaper named "L'Express" has accused that United States is using dangerous cyber weapon "Flame" to break into the computer networks inside France’s presidential palace also known as the Elysee. In his report L'Express has published details of what it claims was a sophisticated state-sponsored hack into the offices of the French presidency earlier this year with the intention of stealing data. According to the newspaper, the malware attack took place in May 2012, shortly before the second round of presidential elections in France, but has been kept secret until now. The newspaper alleges that the attackers reportedly found their targets on Facebook, identifying people working inside the presidential palace and connecting with them on the social network. The social engineering laid the groundwork for the next phase of the attack; the victims were then sent links to a fake Elysee intranet page where their login credentials were stolen. Workers at the Élysée Palace are said to have been befriended on Facebook by hackers, who then sent their victims a link to what purported to be a login page for the Élysée intranet site. In this way, it's claimed, login credentials were stolen. It is alleged that malware was then installed on the network, infecting computers belonging to senior political advisors, including Xavier Musca, Secretary-General of Nicolas Sarkozy's office. The United States Embassy in Paris has denied any involvement in hacking its ally. “We categorically refute allegations of unidentified sources,” Mitchell Moss, Embassy spokesman, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.” Though the secretary  of Department of Homeland Security Janet Napolitano did not deny the U.S. was involved. She told l’Express: “We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

While talking about Flame, we would like to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

-Source (NS & threatpost)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">USA Accused For Planting "Flame" Malware to Hack France President's Network"https://www.voiceofgreyhat.com/2012/11/USA-Accused-For-Planting-Flame-to-Hack-France.html</a>

Department of Homeland Security (DHS) Said -Cyber Crime is As Threatening As al Qaeda

Department of Homeland Security (DHS) Said -Cyber Crime is As Threatening As al Qaeda

The number of organized cyber crime has already kisses the sky. Keeping this scenario in mind Janet Napolitano, Secretary of Homeland Security, said that "the greatest threats in actual activity we've seen aimed at the West and the United States has been in the cyber-arena", in addition to "al Qaeda and al Qaeda-related groups" The comments highlight the increasing trend of political sparring and espionage proliferating on the Web. The Flame virus, believed to be driven by a western government, continues to grab headlines, while he also claimed that Google has introduced a tool to warn users of state-sponsored attacks on their accounts. Though gmail completely denied this blame while saying that Govt hired State-Sponsored attackers who ware accessing millions of Gmail accounts illegally. 

Napolitano also said the government is taking steps to be "proactive instead of reactive" in combating the new threats, adding that the worldwide cost of tackling cyber-crime - an estimated $388 billion (£250 billion) - is "already outstripping [the cost of tackling] traditional narcotics". 

A White House plan code-named Olympic Games was launched to infect Iran's nuclear program at the beginning of the Obama administration, though Washington denies the Flame virus, also targeting Iran, was part of the project, after it was found to have existed for a number of years.

-Source (IT Portal)

.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Department of Homeland Security (DHS) Said -Cyber Crime is As Threatening As al Qaeda"https://www.voiceofgreyhat.com/2012/06/department-of-homeland-security-dhs.html</a>

Federal Judge Opened The Gate For 14 Anonymous Members To Use Twitter

Federal Judge Opened The Gate For 14 Anonymous Members To Use Twitter Freely

A Federal judge in San Jose, Calif. Has opened the gates for 14 alleged members of anonymous to continue using Twitter as one of the "principle tools through which the members of the Anonymous hacking group planned and coordinated their criminal activities," according to prosecutors opposing the decision. The first question came up in January as a motion from Vincent Kershaw, indicted along with 13 other alleged Anon members for attacking PayPal following the arrest of WikiLeaks founder Julian Assange.
Kershaw could have simply argued that preventing him from Tweeting about issues having nothing to do with his legal situation or the charges against him was a violation of his First Amendment right to free speech. Even in court, where current events, fashions and politics are supposed to be banished from legal decisions, requests go over much more easily when they hit the issues that are big today rather than when the Constitution was written.
Despite arguments that the dangerous, subversive hackers of Anonymous use the overly public Twitter to plan their misdeeds, Judge Paul Grewal ruled prosecutors hadn't sufficiently linked specific Twitter accounts to their assumption that every key-press by an Anonymous sympathizer was necessarily a felony or act of treason.
Therefore Kershaw and his fellow defendants are free to Tweet themselves or participate in Twitter Town Halls and other online events. They're not allowed to use IRC, however, which Anonymous actually does use to plan and coordinate its various activities, not to mention gossip about each other, engage in private flame wars that break out into public doxings, swap files, swap pictures and do all the other social things people do online, especially when their physical liberty is limited.
Kershaw is a 28-year-old foreman for a Colorado landscaping company, was arrested along with 15 others for a DDOS attack the DoJ charges they participated in and which was organized by Anonymous. He was released July 2 on a bond of $10,000 on condition he not access the Internet from any computer and that he allow a probation officer to verify he had not done so.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Federal Judge Opened The Gate For 14 Anonymous Members To Use Twitter"https://www.voiceofgreyhat.com/2012/03/federal-judge-opened-gate-for-14.html</a>

UltrasMalaya.net (Malaysian football website) Hacked

A Singaporean has hacked into Malaysian football website UltrasMalaya.net in retaliation for Malaysian netizens flaming Singaporeans after their national team's loss to the Republic in recent World Cup qualifying rounds. According to online sources, a hacker who called himself GPT InDuStRiEs claimed responsibility for his actions and wrote:
"UltrasMalaya.net hacked for having fans which constantly flame, hack and deface Singaporeans due to the recent Malaysia VS Singapore match. "Checkmate, oh my!"
A check by AsiaOne revealed that the UltrasMalaya.net website requires a user name and password to access.

Previously, Malaysian football fans had hacked into a Singapore website on July 31 and put a picture of Malaysia's national striker, Mohd Safee Mohd Sali, in the centre of the homepage. The hackers said they hacked into the website as they were angry at Singapore fans for being "so rude" when Malaysia lost to Singapore. The hackers also accused Singapore's Lions of "cheating" and "acting", and that they won because of their foreign players.
Singapore and Malaysia met twice in the qualifying round for World Cup 2014. Singapore eventually beat their rivals and progressed on to the next stage of qualifiers.

-News Source (Aisiaone)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">UltrasMalaya.net (Malaysian football website) Hacked"https://www.voiceofgreyhat.com/2011/08/ultrasmalayanet-malaysian-football.html</a>

Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered By Iran National CERT (MAHER)

Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered by Iran National CERT (MAHER)

After "Duqu" now The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). The name “Flamer” comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals. At the time of writing, none of the 43 tested anti viruses could detect any of the malicious components. Nevertheless, a detector was created by Maher center and delivered to selected organizations and companies in first days of May. 

Key Features of “Flamer” :-

• Distribution via removable medias

• Distribution through local networks

• Network sniffing, detecting network resources and collecting lists of vulnerable passwords

• Scanning the disk of infected system looking for specific extensions and contents

• Creating series of user’s screen captures when some specific processes or windows are active

• Using the infected system’s attached microphone to record the environment sounds

• Transferring saved data to control servers

• Using more than 10 domains as C&C servers

• Establishment of secure connection with C&C servers through SSH and HTTPS protocols

• Bypassing tens of known antiviruses, anti malware and other security software

• Capable of infecting Windows Xp, Vista and 7 operating systems

• Infecting large scale local networks

For additional information about "Flamer" click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered By Iran National CERT (MAHER)"https://www.voiceofgreyhat.com/2012/05/flamerskywiper-stuxnet-newly-found.html</a>

Microsoft Security Bulletin (June 2012) Closed Security Hole in RDP, IE,Certificate Tool & .NET

Microsoft Security Bulletin (June 2012) Closed Security Hole in RDP, IE,Certificate Tool & .NET

Microsoft released June 2012 Security bulletin to close a total of 27 security holes in its products, among them 13 in Internet Explorer. The rest of the patches affect all currently supported Windows versions, the .NET Framework, Remote Desktop, Lync, Windows Kernel and Dynamics AX. The company separately announced changes to its automatic updater to block untrusted security certificates. Microsoft updated the updater tool after researchers uncovered how the Flame malware had gamed the process. The most important updates are bundled in the cumulative Internet Explorer patch (MS12-037), which includes fixes for the holes that were targeted by Pwn2Own exploits. Another urgent update is MS12-036, which concerns denial of service and remote code execution vulnerabilities in the Remote Desktop features built into all supported versions of Windows. The third critical update affects the .NET Framework (MS12-038). The remaining 4 updates are rated "important" by Microsoft and close code execution bugs in Lync and privilege escalation holes in Dynamics AX and Windows.

Through this security bulletin Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Security Bulletin (June 2012) Closed Security Hole in RDP, IE,Certificate Tool & .NET"https://www.voiceofgreyhat.com/2012/06/microsoft-security-bulletin-june-2012.html</a>