Bride of Stuxnet
Webcraft as spycraft.
Jun 11, 2012, Vol. 17, No. 37 • By JONATHAN V. LAST
Last April, the Iranian Oil Ministry and the National Iranian Oil Company noticed a problem with some of their computers: A small number of machines were spontaneously erasing themselves. Spooked by the recent Stuxnet attack, which had wrecked centrifuges in their nuclear labs, the Iranians suspected a piece of computer malware was to blame. They went to the United Nations’ International Telecommunications Union and asked for help. After an initial investigation, it was determined that the Iranians had been hit with a new piece of malicious software; it was temporarily labeled Wiper. Or Viper. After translating the moniker into different languages, no one is quite sure what the original nickname was.
The experts from Turtle Bay quickly realized they were out of their depth with Wiper/Viper and contracted a Russian computer security firm, Kaspersky Lab, to help. As the techs at Kaspersky investigated, they began to find bits and pieces of a much bigger program. What they eventually uncovered forced them to put aside Wiper/Viper and send out an all-hands call to the tech community: a cyber-weapon that made Stuxnet look primitive. They called it Flame.
Stuxnet was like a guided missile with a targeted payload. It was created to spread rapidly, but always to be seeking a particular set of computers—machines made by Siemens and used to control centrifuge operations at a uranium enrichment plant. Once Stuxnet reached its destination, it had very precise instructions: It altered the speed of the centrifuges in such a manner as to slowly degrade the equipment and destroy the uranium they contained—all while sending false readings back to the operating console so that neither the computer nor the human supervisors would notice the damage being done.
If Stuxnet was like a missile, then Flame is more like a surveillance satellite.
Once a computer is infected by Flame, the program begins a process of taking over the entire machine. Flame records every keystroke by the user, creating a perfect log of all activity. It takes pictures of the screen every 60 seconds—and every 15 seconds when instant message or email programs are in use. It records all administrative action on the computer—taking note of network passwords, for instance. And it rummages through the computer’s hard drive copying documents and files.
But that’s not all. Flame also takes control of the machine’s Bluetooth capability and turns it into a hub for a small wireless network, bonding with other Bluetooth-enabled devices in the vicinity, such as cell phones. It then uses the Bluetooth connection to case whatever information is on the remote device—say, an address book, calendar, or email list. Most spectacularly, Flame is able to turn on the computer’s built-in microphone and record the user, or anyone else who happens to be chatting in the vicinity.
Flame then compiles all of this information—the passwords, the documents, the keystroke logs, the screenshots, and the audio recordings—encrypts it, and secretly uploads it to a command-and-control server (C&C), where someone is waiting to analyze it.
The first thing the white hats noticed about Flame was its size. Most malware is designed to be tiny—the smaller the package of code, the harder it is for your computer’s constantly updating security protocols to intercept it. It took half a megabyte of code to build Stuxnet, which was a remarkably large footprint by the standards of malware. When completely deployed, Flame takes up 20 megabytes. Which is positively gargantuan.
But Flame is deployed in stages. When it works its way onto a new machine, Flame comes in an initial package of six megabytes. After the worm takes control of the box, it inventories the machine and the surrounding networks, and then begins communicating with a remote C&C server. On the other end of the line, a team takes in the data being sent by Flame, makes a determination of the new host’s value, and then returns instructions to the waiting worm. Depending on what the C&C team see, they might instruct Flame to install any of 14 additional modules—mini add-on programs which, for instance, would give Flame the ability to take over the computer’s microphone, or Bluetooth functionality. One module, named “browse32,” is a kill module. When activated by the C&C, browse32 systematically moves through the computer, deleting every trace of Flame’s existence. Its wipe is so thorough that once it’s been triggered, no one—not even computer security techs—can tell if Flame was ever there in the first place.