Cyberspace is no longer a benign place to surf.
Viruses are getting increasingly nasty and complex over the years. But while the worms were traditionally being used by hackers and cybercriminals either to display their prowess or steal information and money, it appears now that even nation states are backing such crimes to target countries --- a trend popularly known as cyber espionage.
For instance, in July 2010, anti-virus vendors had detected the presence of a virus they named W32.Stuxnet that targets industrial control systems to take control of industrial facilities, such as power plants. Iran was the primary target, with nearly 59% of the attacks directed at that country, according to anti-virus vendor Symantec. India was affected, too, with 8.31% hits.
In October, 2011, there was another worm called W32.Duqu that was created from the same code base as Stuxnet. But it appeared to have a completely different purpose. While Stuxnet was primarily designed to sabotage industrial machinery, Duqu appeared to be designed for information theft, particularly information related to industrial systems and other secrets.
But on Monday, researchers discovered a more potent virus. Going by the name W32.Flamer (also called SkyWIper and even Wiper), the worm’s primary target appears to be Iran and other West Asian countries.
Clubbed under the umbrella of cyber espionage, the initial analysis from anti-virus vendors such as Kaspersky Labs suggests that the creators of the Flame are looking for any kind of intelligence --- e-mails, documents, messages and discussions inside sensitive locations. “We have not seen any specific signs indicating a particular target such as the energy industry--making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes,” says a blog run by Aleks (Alexander Gostev), Kaspersky Lab expert.
“Of course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA (supervisory control and data acquisition) devices, critical infrastructure and so on,” says Aleks, concluding that while Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East, “we’ve found what might be the most sophisticated cyber weapon yet unleashed”.
The ‘Flame’ cyber espionage worm, Aleks says on his official blog, came to the attention of experts at Kaspersky Lab after the UN’s International Telecommunication Union came to the anti-virus vendor for help in finding an unknown piece of malware which was deleting sensitive information across West Asia. Flame, he says, shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers. Flame, says Aleks, is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So, by excluding cybercriminals and hacktivists, “we come to conclusion that it most likely belongs to nation states”.
Other experts and researchers are in agreement. Terming the virus as “the most complex malware ever found”, the laboratory of Cryptography and System Security (CrySyS), Budapest University of Technology and Economics, says its first insights suggest that sKyWIper is another info-stealer malware. They add that SKyWIper may have been active for as long as five to eight years, or even more.
sKyWIper uses compression and encryption techniques to encode its files. More specifically, it uses 5 different encryption methods (and some variants), 3 different compression techniques, and at least 5 different file formats (and some proprietary formats too), according to CySyS. It also uses special code injection techniques. sKyWIper stores information that it gathers on infected systems in a highly structured format in (SQLite) databases.
Another uncommon feature of sKyWIper is the usage of the Lua scripting language, which can very easily be extended and interfaced with C code, according to researchers. sKyWIper has very advanced functionality to steal information and to propagate. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.
Symantec’s Security Response team’s analysis concurs with these observations. The report so far reveals that the malware was built with the ability to obtain information from infected systems, primarily located in the Middle East.
As with the previous two threats (Stuxnet and Duqu), this code was not written by a single individual but by an organized, well-funded group of personnel with directives, note Symantec researchers. The code includes multiple references to the string ‘FLAME’ which may be indicative of either instances of attacks by various parts of the code, or the malware’s development project name.
The threat, according to Symantec, has operated discreetly for at least two years with the ability to steal documents, take screenshots of users’ desktops, spread via USB drives, disable security vendor products, and under certain conditions spread to other systems. The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.
A recent Symantec Internet Security Threat Report saw the number of targeted attacks increase dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. The number is only set to rise in 2011.
So what does the doctor advise? As of now, anti-virus vendors are analyzing the threat. One can only sit and watch this space.