1 / 21

Flame: Modern Warfare

Flame: Modern Warfare. Matthew Stratton. What is Flame?. How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications. Flame’s Discovery. This is not the malware you are looking for. Kaspersky Labs. April, 2012

fcalvert
Download Presentation

Flame: Modern Warfare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flame: Modern Warfare Matthew Stratton

  2. What is Flame? • How it was found • What are its capabilities • How it is similar to Stuxnet and Duqu • Implications

  3. Flame’s Discovery This is not the malware you are looking for

  4. Kaspersky Labs • April, 2012 • National Iranian Oil Company infected by an unknown virus • International Telecommunication Union asked Kaspersky to investigate • Looked for a virus called “Wiper” but found something much worse

  5. New Malware: Flame • Kaspersky labs named the new virus “Flame” after the name of one of the prominent modules

  6. Infected • Most infected computers found in the Middle East • A few infections found in Europe

  7. Tried and True • Flame has been in the wild a long time • Evidence of Flame’s use as far back as August 2010 • Avoided detection for 20+ months • Likely much older, some evidence suggests earlier versions as early as 2007

  8. Flame’s Capabilities Spy in a Box

  9. What is Flame • Sophisticated attack toolkit: backdoor, trojan, worm • Avoids detection • Modular: • Small infection module downloads extra modules once it compromises a system • With all known modules: ~20 MB in size • Wiper may be a Flame module

  10. Infect • Signed by fraudulent certificate supposedly from Microsoft Enforced Licensing Intermediate PCA certificate authority • Infection module will modify itself to avoid antivirus detection • Large size makes it hard to determine that Flame is doing anything malicious

  11. Gather • Once a machine is infected, attack modules downloaded from C&C server depending on the target system • Sniff network traffic and gather information on Bluetooth devices in range • Could lead to customized attacks in the future

  12. Gather • Take screenshots when “interesting” applications are running • Turn on built in mic and record audio conversations • Key logger • Record Skype conversations • Gather local files stored on computer, including info from databases

  13. Spread • On command of the operator (C&C server)

  14. Notorious Similarities Stuxnet and Duqu

  15. Stuxnet and Duqu • Sophistication • Exploit same vulnerabilities • Print spooler • USB infection methods • Not seen anywhere else

  16. Different Developers • Different programming language • Different software architecture • Hypothesis: • Developed in parallel with Stuxnet and Duqu by different teams • Access to same database of vulnerabilities • Both commisioned by same group

  17. Implications The Dawn of Cyber Warfare

  18. Cyber Warfare • "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption." • Developed by a nation state • Complexity • Goals • Targets

  19. Creators • Leaked documents and inside sources claim it was a project started by George W. Bush and continued by President Obama • Olympic Games • Developed with Israel • No one has openly claimed responsibility

  20. Fin • Finding Flame • Flame’s functionality • Connections to Stuxnet and Duqu • Implications: Cyber Warfare

  21. Questions?

More Related