Malware That Confounded The Internet World In 2012
Its discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. The last of these stated in its report that Flame "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." Flame can spread to other systems over a local network (LAN). It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.
Malware That Confounded the Internet World In 2012
According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time 65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt, with a "huge majority of targets" within Iran. Flame has also been reported in Europe and North America. Flame supports a "kill" command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the "kill" command was sent.
Flame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers. As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program "Flame" after one of the main modules inside the toolkit .mw-parser-output .monospacedfont-family:monospace,monospace[FROG.DefaultAttacks.A-InstallFlame].
According to Kaspersky, Flame had been operating in the wild since at least February 2010. CrySyS Lab reported that the file name of the main component was observed as early as December 2007. However, its creation date could not be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994.
According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. At that time the countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.A sample of the Flame malware is available at GitHub
Flame is an uncharacteristically large program for malware at 20 megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection. The malware uses five different encryption methods and an SQLite database to store structured information. The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications. The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems.[c] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software. Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.
Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority. The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft. A successful collision attack against a certificate was previously demonstrated in 2008,but Flame implemented a new variation of the chosen-prefix collision attack.
Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.
On 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security Agency, CIA and Israel's military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.
According to Kaspersky's chief malware expert, "the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it." Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers.After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.
Examples of large arbovirus outbreaks, from the literature. This diagram illustrates several unexpected arbovirus outbreaks that have occurred in regions of the world which are currently the most vulnerable to arboviruses. It is likely that in the coming years other parts of the world will be affected, including regions that are outside of the tropical area.
Until recently, CHIKV episodes were restricted to diffuse epidemics in Africa where it was propagated by a variety of mosquitoes from the Aedes family, including Aedes furcifer, Aedes luteocephalus, Aedes taylori, Aedes africanus. Then, the virus was imported to Thailand and India where it became an urban disease, transmitted largely by Aedes aegypti mosquitoes. It is of particular interest that the CHIKV strain that has caused most of the epidemics in urban areas of the Indian Ocean is believed to have originated in Central/East Africa and transmitted by Aedes aegypti. Phylogenetic studies have shown that the earliest CHIKV isolated from the Reunion Island closely resembled those from East Africa, but as the epidemic accelerated, the CHIKV sequence of subsequent isolates changed, resulting in an amino acid substitution in the viral E1 envelope glycoprotein as a consequence of viral genome microevolution. Simultaneously, this mutation appeared only in the CHIKV isolated from Aedes albopictus. Until very recently, CHIKV outbreaks in India were primarily associated with Aedes aegypti as it is in Africa. The Indian CHIKV-induced disease is recognized as an urban disease whereas the CHIKV African strains are expected to spread under sylvatic nature. Surprisingly, it was evidenced that CHIKV that circulated in India after the Reunion Island outbreak was genetically related to that circulating in the Indian Ocean Islands. This Indian CHIKV carries the mutation that allows a more efficient dissemination in Aedes albopictus. CHIKV that were then circulated in Cameroon (2006), Gabon (2007) and Italy (2007), all bear the mutation which favors a transmission of the pathogen by Aedes albopictus. In Indian Ocean, Cameroon and Gabon, Aedes albopictus has effectively displaced Aedes aegypti through interspecific competition. Aedes albopictus appears to have adapted to activities of humans such as transportation and water programs, and it has colonized peridomestic storage of used car tires and transportation of plants. Aedes albopictus is now present in southern Europe. Although climate change has not yet been scientifically proven to have caused the emergence or re-emergence of any of the vector-borne diseases, a warming climate that would facilitate the introduction of mosquitoes in areas not yet infected, represents a serious hypothesis for the development of arboviruses in new regions of the world. Such considerations must be taken into account to anticipate changes that will undoubtedly lead to future epidemics. They have also important implications for the design of vector control strategies to fight against the virus in the regions at risk of Chikungunya fever.
The Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities confirmed fears that the world has entered a new age of cyber espionage and sabotage. googletag.cmd.push(function() googletag.display('div-gpt-ad-1449240174198-2'); ); Internet defenders on Wednesday were tearing into freshly exposed Flame malware (malicious software) that could be adapted to spread to critical infrastructures in countries around the world. 041b061a72