Flame malware could use Bluetooth to exfiltrate data, record phone conversations, or learn the social network of a target.
The Flame malware, detailed publicly for the first time Monday, has been described by security researchers working overtime to unravel its inner workings as "the largest and most complex piece of malicious code they've ever seen."
One of Flame's most interesting--and unusual--capabilities is its ability to scan for nearby Bluetooth devices, and that capability suggests that whoever built Flamer had deep pockets. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," read a
63-page analysis of the malware, published Monday by
the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.
Researchers are now working to unravel the capabilities of the malicious Flame application, as well as the approximately 20 modules that give it additional capabilities. The malware's Bluetooth functionality is built into a module known as Beetleuice and is triggered based on rules created by the attacker, according to an analysis published by Symantec.
When triggered, the module first scans for all Bluetooth devices within range. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point," said Symantec's report.
Next, the malware configures itself to serve as a Bluetooth beacon. "This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area," said the Symantec report. "In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field."
In other words, the malware not only records the identities of nearby Bluetooth devices, but apparently also whether or not they've been compromised by Flame.
Symantec said that the malware's use of Bluetooth could help its operators learn a target's social network because it would record information about any devices the user encountered during the course of his day. Likewise, the locations of devices could be ascertained--for example, if compromised Bluetooth devices were placed in airports or shopping malls.
But Bluetooth would also allow the attacker behind Flame to target nearby devices and steal any address book entries, SMS messages, or images stored on the device, and then route the information to another nearby device. "An attacker within one mile of the target could use their own Bluetooth-enabled device for this," said Symantec. That means Flame could have been used together with actual physical surveillance of a target.
Furthermore, Flame could use Bluetooth to eavesdrop on infected devices via hands-free communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in by having a PC compromised by Flame connect to the device, according to Symantec.
While the above attack possibilities are only theories, it is possible that there is undiscovered code within W32.Flamer that already achieves some of these goals, according to Symantec. Furthermore, whoever coded Flame would have the required technical chops. "The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled, and such attacks are well within their capabilities," the report said.
Beyond technical teardowns, additional perspective on Flame has also been appearing. Numerous businesses, for example, have been asking whether they're at risk of being exploited. In response, Sean Sullivan, security advisor at F-Secure Labs, wrote in a blog post: "Let's see, are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."
As Sullivan noted, Flame isn't a worm that propagates on its own, but a malicious application that's targeted only at designated PCs--and researchers think that only about 1,000 PCs have ever been infected by Flame. "There are more than one billion Windows computers in the world," Sullivan said.
So when it comes to risk of infection, "You do the math," Sullivan said. "You're just as likely to win the lottery."
When it comes to regulatory compliance, auditors consider more than how you protect your company's covered assets from external attackers. In the Compliance From The Inside Out report, we show you how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates. (Free registration required.)
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!