“Flame” is the name of a newly-identified malware program which utilizes a previously unknown MD5 collision attack to successfully spoof Microsoft Terminal Services, and install itself as a trusted program using Windows Update, Microsoft has confirmed. The program appears to have targeted computers in the Middle East, and specifically Iran; analysts have alleged it is likely created by the same entity that designed Stuxnet. Flame has been live and actively spying since 2010, but went undetected until recently, due to sophisticated anti-detection measures.
While anonymous US officials have claimed responsibility for the program, officially both the USA and Israel have denied any involvement.
Summary and conclusions:
- The Flame command-and-control infrastructure, which had been operating for years, went offline immediately after our disclosure of the malware’s existence last week.
- We identified about 80 total domains which appear to belong to the Flame C&C infrastructure.
- The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
- The attackers seem to have a high interest in PDF documents, Office and AutoCad drawings.
- The data uploaded to the C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
- Flame is using SSH connections (in addition to SSL) to exfiltrate data. The SSH connection is established by a fully integrated Putty-based library.
- Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame