While USB drives have long been a security threat, the Flame spying malware brought the use of portable storage devices to a new level of weaponry.
Flame, discovered last month in Iran's oil-ministry computers, used USB ports found on every PC as a pathway to avoid detection by network-guarding security systems. The cleverness of Flame's creators in keeping the malware under the radar was one more example of why it is considered among the most sophisticated espionage-software packages to date.
[Insider (reg. req'd): Extinguishing Flame malware]
Because Flame was looking for highly sensitive data, it had to steal the information from networks without internet connections, yet still be able to connect at some point to a remote command and control server, vendor Bitdefender said in its security labs blog. To do that, Flame would move stolen files and a copy of itself to a memory stick inserted in an infected computer.
When the storage device was plugged into another PC, Flame would check to see if it was connected to the Internet and then copy itself and the stolen files to the new host, which the malware used to compress the data and transmit it to the controller's server over HTTPS.
Flame would not store stolen documents in the new host, unless it was sure there was an Internet connection, Bitdefender said. "This is how it ensures that it has the best chances to call back home and send leaked data to the attacker."
The malware hid in storage devices by naming the folder that contained the malware and stolen data. "Because Windows could not read the name, the folder remained hidden from the user, giving he or she no reason to suspect they were carrying stolen information," Bitdefender said.
"The main idea behind this is something that we have not seen before: the information mule is a person who is used to carry information between two systems," Bitdefender said.
Flame was capable of infecting networked PCs, but that function was turned off to prevent the malware from spreading too far into a network, thereby increasing its chances of detection. Bitdefender acknowledged that the malware creators might also have had an accomplice who acted as a data smuggler in carrying an infected USB drive from one PC to another.
The success Flame creators had in using USB memory sticks will be studied by hackers. "The technicalities of how Flame uses the USB stick is new and shows that attackers who are determined to penetrate deep inside secure environments are using USB devices to gain that access and to exfiltrate the data they discover too," Liam O Murchu, manager of operations for Symantec Security Response, said in an email Tuesday. "Flamer's use of this USB technique shows that this is an avenue of attack that is highly valuable and will be used again and again."
The mode of infection was one more example of Flame's list of sophisticated techniques, which included fooling Microsoft Terminal Services into having its certificate authority generate fake digital signatures. Once embedded in the code, the signatures made Flame appear to be Microsoft software, while the malware altered and updated its code.
Flame has been linked to the Stuxnet malware blamed for damaging uranium-enrichment systems in Iran's nuclear facility in 2010. Kaspersky Labs discovered that a component of Flame, which was created in 2008, was also in the 2009-version of Stuxnet. Quoting anonymous sources in the Obama administration, The New York Times recently reported that Stuxnet was the creation of U.S. and Israeli government agents.
Because Flame and Stuxnet were highly targeted attacks, neither are believed to pose much of a threat to most corporations. Nevertheless, the vulnerabilities exposed by Flame, particularly the flaw in Microsoft's issuance of digital signatures, were significant. Venafi, which sells key and certificate management technology, reported that more than a quarter of Global 2000 companies were vulnerable to attacker using the exploit. Microsoft has released a patch for the hole.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.