Flame malware could use Bluetooth to exfiltrate data, record phone conversations, or learn the social network of a target.
The Flame malware, detailed publicly for the first time Monday, has been described by security researchers working overtime to unravel its inner workings as "the largest and most complex piece of malicious code they've ever seen."
One of Flame's most interesting--and unusual--capabilities is its ability to scan for nearby Bluetooth devices, and that capability suggests that whoever built Flamer had deep pockets. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," read a
63-page analysis of the malware, published Monday by
the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.
Researchers are now working to unravel the capabilities of the malicious Flame application, as well as the approximately 20 modules that give it additional capabilities. The malware's Bluetooth functionality is built into a module known as Beetleuice and is triggered based on rules created by the attacker, according to an analysis published by Symantec.
When triggered, the module first scans for all Bluetooth devices within range. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point," said Symantec's report.
Next, the malware configures itself to serve as a Bluetooth beacon. "This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area," said the Symantec report. "In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field."
In other words, the malware not only records the identities of nearby Bluetooth devices, but apparently also whether or not they've been compromised by Flame.
Symantec said that the malware's use of Bluetooth could help its operators learn a target's social network because it would record information about any devices the user encountered during the course of his day. Likewise, the locations of devices could be ascertained--for example, if compromised Bluetooth devices were placed in airports or shopping malls.
But Bluetooth would also allow the attacker behind Flame to target nearby devices and steal any address book entries, SMS messages, or images stored on the device, and then route the information to another nearby device. "An attacker within one mile of the target could use their own Bluetooth-enabled device for this," said Symantec. That means Flame could have been used together with actual physical surveillance of a target.
Furthermore, Flame could use Bluetooth to eavesdrop on infected devices via hands-free communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in by having a PC compromised by Flame connect to the device, according to Symantec.
While the above attack possibilities are only theories, it is possible that there is undiscovered code within W32.Flamer that already achieves some of these goals, according to Symantec. Furthermore, whoever coded Flame would have the required technical chops. "The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled, and such attacks are well within their capabilities," the report said.
Beyond technical teardowns, additional perspective on Flame has also been appearing. Numerous businesses, for example, have been asking whether they're at risk of being exploited. In response, Sean Sullivan, security advisor at F-Secure Labs, wrote in a blog post: "Let's see, are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."
As Sullivan noted, Flame isn't a worm that propagates on its own, but a malicious application that's targeted only at designated PCs--and researchers think that only about 1,000 PCs have ever been infected by Flame. "There are more than one billion Windows computers in the world," Sullivan said.
So when it comes to risk of infection, "You do the math," Sullivan said. "You're just as likely to win the lottery."
When it comes to regulatory compliance, auditors consider more than how you protect your company's covered assets from external attackers. In the Compliance From The Inside Out report, we show you how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates. (Free registration required.)
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.