Flame malware could use Bluetooth to exfiltrate data, record phone conversations, or learn the social network of a target.
The Flame malware, detailed publicly for the first time Monday, has been described by security researchers working overtime to unravel its inner workings as "the largest and most complex piece of malicious code they've ever seen."
One of Flame's most interesting--and unusual--capabilities is its ability to scan for nearby Bluetooth devices, and that capability suggests that whoever built Flamer had deep pockets. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," read a
63-page analysis of the malware, published Monday by
the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.
Researchers are now working to unravel the capabilities of the malicious Flame application, as well as the approximately 20 modules that give it additional capabilities. The malware's Bluetooth functionality is built into a module known as Beetleuice and is triggered based on rules created by the attacker, according to an analysis published by Symantec.
When triggered, the module first scans for all Bluetooth devices within range. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point," said Symantec's report.
Next, the malware configures itself to serve as a Bluetooth beacon. "This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area," said the Symantec report. "In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field."
In other words, the malware not only records the identities of nearby Bluetooth devices, but apparently also whether or not they've been compromised by Flame.
Symantec said that the malware's use of Bluetooth could help its operators learn a target's social network because it would record information about any devices the user encountered during the course of his day. Likewise, the locations of devices could be ascertained--for example, if compromised Bluetooth devices were placed in airports or shopping malls.
But Bluetooth would also allow the attacker behind Flame to target nearby devices and steal any address book entries, SMS messages, or images stored on the device, and then route the information to another nearby device. "An attacker within one mile of the target could use their own Bluetooth-enabled device for this," said Symantec. That means Flame could have been used together with actual physical surveillance of a target.
Furthermore, Flame could use Bluetooth to eavesdrop on infected devices via hands-free communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in by having a PC compromised by Flame connect to the device, according to Symantec.
While the above attack possibilities are only theories, it is possible that there is undiscovered code within W32.Flamer that already achieves some of these goals, according to Symantec. Furthermore, whoever coded Flame would have the required technical chops. "The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled, and such attacks are well within their capabilities," the report said.
Beyond technical teardowns, additional perspective on Flame has also been appearing. Numerous businesses, for example, have been asking whether they're at risk of being exploited. In response, Sean Sullivan, security advisor at F-Secure Labs, wrote in a blog post: "Let's see, are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."
As Sullivan noted, Flame isn't a worm that propagates on its own, but a malicious application that's targeted only at designated PCs--and researchers think that only about 1,000 PCs have ever been infected by Flame. "There are more than one billion Windows computers in the world," Sullivan said.
So when it comes to risk of infection, "You do the math," Sullivan said. "You're just as likely to win the lottery."
When it comes to regulatory compliance, auditors consider more than how you protect your company's covered assets from external attackers. In the Compliance From The Inside Out report, we show you how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates. (Free registration required.)
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.