Cyber warfare espionage by Flame

Yoghavel V

Avinash V

I- M.Tech (ISCF.,),

Department Of Information Technology
SRM University, Chennai
yoghavel@gmail.com
avinashx11@gmail.com

AbstractCyber warfare espionage is a
threat to many countries in todays scenario.
Flame is a malware that targeted over Middle
East countries in the year of 2012. It attacks
the systems running under Microsoft
operating system and used for targeted cyber
espionage. This paper is a technical survey of
Flame and describes the modules of the
malware and its spreading capabilities. The
main purpose of this paper is to point out the
recent trends infused by this new breed of
malware into cyber attacks.

Keywords- Malwares, Information Security
Management, Flame
I. INTRODUCTION

Flame is complex piece of software classified
as a backdoor, Trojan or rootkit .Flame is used
for cyber espionage that affects computer
running a Microsoft Windows operating system.
Flame is also named as skywiper.
A. History
In April 2012, several computers of the
National Iranian Oil Company, as well as
several Iranian ministries, have been infected by
an unknown virus. This case was linked to chain
of cyber attacks during which viruses like
Stuxnet and Duqu were used. Virus whose
presence in the cyber realm was undetected for
years together was made public on 28th of May
2012 by Iran CERT, following an investigation
of a Russian security company, Kaspersky Lab.
B. Comparison of Flame with Stuxnet
Stuxnet was another malicious software
discovered in June 2010.Both Flame and Stuxnet
were developed by different teams and shared a
common purpose of increasing the robustness of
an operation. Flame and Stuxnet are modular
malware .They have a key logger module and
are categorized as a zero day attack.
II. REVIEW OF LITERATURE
Flame malware is an important piece of a
targeted attack. Initially the countries affected
was not known, but was suspected that it was
not limited to a single country. It was based on


indications that pieces of the malware was
probably identified and uploaded from European
parties onto binary analysis sites in the past. The
first insight suggests that Flame is another info-
stealer malware with a modular structure
incorporating multiple propagation and attack
techniques, but further analysis may discover
components with other functionalities. In
addition, Flame may have been active for as
long as five to eight years, or even more.

III. RESEARCH GAP
Flame used five encryption techniques among
which one is known and the rest remains
unknown. On analysis of flame it is found that
attackers innovate in intruding victims system,
so security analyst should think a step ahead in
mitigating such attacks.
IV. OBJECTIVES
The objective of this study are mentioned below,
To study the cryptanalysis used by the
Flame development team.
To analyze the various modules associated
with the flame malware.

V. SCOPE AND LIMITATIONS OF STUDY
A. Scope
This research focused on trying to get a first
insight into the capabilities, behavior,
encryption, data storage, propagation and
communications of the malware. Much more
work is needed to understand the details of the
operation of the malware.
B. Limitations
Five encryption techniques were used in
deployment of flame malware, this has been
identified by Kaspersky Lab. But only one
technique has been known. All the other four
techniques are yet to be discovered.

VI. METHODOLOGY
Flame incorporates multiple propagation and
attack techniques and special code injection
methods. It gathers information in multiple
ways, including logging key strokes, saving
screenshots, turning on the microphone and the
web camera to record audio and video. It
browses through the storage devices attached to
the infected computer. It also switches on the
Bluetooth radio if available on the infected
computer, and saves information about
neighboring Bluetooth enabled devices and send
information about the victim system to a nearby
device.

Fig.1.Propogation Techniques of Flame
Flame uses five encryption methods, three
different compression techniques, and five
different file formats. Information gathered by
Flame is stored in a SQLite databases. Flame
sends the information collected to remote C&C
servers if network connection is available. It also
stores information on USB sticks, through which
it can infect other computers and use their
network connections to communicate with the
C&C servers. It was found that flame collects
around Six GB of data from an infected system
in a week.

VII. DESIGN AND ALGORITHM
Analysis of the files the deployment techniques
of Flame are explained.


A. Hooking
In Flame, hooking is the result of code injection
that is performed. All of the hooks (IAT and
inline) belong to explorer.exe. For example, the
tools XueTr and Gmer report that there is an
inline hook in the shell32.dll module of
explorer.exe at address 0x7C9EF858 pointing to
0x01F6041C. It is indicated by an unconditional
jump instruction (jmp) to the target address. It
can either be a hook or just a coincidence that
the injected code contains the opcode of a jump
at that address.
B. Mutex
Flame uses mutexes to make sure that only one
instance of it is running. Mutexes are created for
injected system processes (winlogon.exe,
services.exe, explorer.exe) and for proprietary
les. For example, for injected system processes,
the following naming convention is used: TH
POOL SHD PQOISNG #PID#SYNCMTX,
where #PID# refers to the process ID of the
system process the mutex belongs to. Other
mutexes created by Flame are referenced in
different manner (e.g.,
DVAAccessGuard51EF43 ST *, Dynamic*,
msstx32*, where * stands for random
characters).
C. SQLite Databases
The malware creates encrypted les with names
starting with RF in the Windows/temp folder.
This operation seems to be automatic, but
perhaps it may also be remotely controlled.
After decryption, the les appear to be SQLite
databases, storing information on drivers,
directories, and le names discovered on the
infected machine. In addition, SQLite and
unknown CLAN databases are used to store
attack related information, such as attack
parameters, attack logs with type and result
(success or failure) of different attack methods,
attack queues with remaining attacks to try and
trial intervals, credentials
(e.g., user names and passwords), and registry
settings.
D. Encryption Algorithm
Five different encryption techniques are used in
development of flame .Simple XOR masking
with a constant or simple byte substitution
encryption technique is used. It was for first time
the data captured by Flame was heavily
encrypted on the server using strong public key
cryptography to ensure that only the attackers
can access.
E. Evasion Techniques
The attackers took extra precautions to evade
detection by security products thereby it could
not be detected. The list of security products and
checking its presence by malware is quite
extensive as it contains more than 300 entries.
The malware chooses the extension of its les
according to the anti-virus software used. We
found that it usually uses the OCX extension,
but if McAfee McShield is installed, extension is
changed to TMP.
VIII. TERMINAL SERVICE LICENSING
Flame can masquerade as a proxy for Windows
Update and can spread on a local network as if it
was a signed update for the Windows operating
system. In order to generate digital signatures on
malware, the attackers created a public key
private key pair and manage to obtain a
certicate for the public key that can be used for
the verifying signed code and chains up to
Microsoft root Certication Authority (CA). The
attackers used the Microsoft Terminal Services
Licensing infrastructure to obtain their fake
certicate. This infrastructure allows licensing
servers to obtain a certicate from a Microsoft
activation server in a fully automated process.
For this purpose, the licensing server generates a
key pair, and sends the public key to the
activation server together with other user-
supplied parameters in a certicate request
message.



Fig.1. Microsoft Terminal Services Licensing
infrastructure

The activation server then issues the certicate
for the public key and sends it back to the
licensing server. The licensing server can then
use the private key to sign license for clients,
which they can use to access different terminal
services. The validity of the licenses can be
veried by checking the licensing servers
signature and the certicate obtained from the
activation server. The signature on the certicate
issued by the activation server is generated on
the MD5 hash of the content of the certicate. In
addition, the certicate does not contain any
extensions for restricting key usage, which
means that the certicate can be used for code
signing applications.

IX. THE MD5 HASH COLLISION
ATTACK


Fig.2. Collision Attack
The attackers needed to get around the problem
of the Hydra extensions which was not
encountered in earlier versions of Windows, and
they took advantage of the weaknesses of the
MD5 hash algorithm to achieve their goal. They
mounted a chosen-prex MD5 hash collision
attack by which they obtained a valid signature
from the Microsoft activation server on a crafted
certicate that contained a public key whose
private pair was known to the attackers.
Collision attack is illustrated as shown Figure.2.

Fig.3.Comparision Of Flame Certificate with
Certificate Signed by Microsoft.
A. Hash Collision Attack
The objective of any hash collision attack is to
generate two inputs to the hash function that
map to the same output hash value. In case of a
chosen-prex hash collision attack, the attacker
starts with two chosen inputs that have some
known difference, and then appends the nearby
collision blocks to both until the resulting
extended inputs yield the same hash value.
Optionally, the two colliding inputs can be
further extended with the same additional data.
MD5 was known to be vulnerable to this type of
attack. Yet, Microsoft still used MD5 in its
Terminal Services Licensing infrastructure. In
case of Flame, the two colliding inputs were two
certicate. One of them contained a certicate
serial number, a validity period, the string MS
as the certicate subject and the attackers public
key in the chosen prex part, while the
unstructured and long issuer unique ID eld was
used to hold the near collision blocks. The other
certicate also contained a serial number and a
validity period, the string Terminal Services
LS as the certicate subject name (for Terminal
Services Licensing Server) and part of a random


public key in certicate was found, the attackers
sent the random public key of the second
certicate to the MS activation server in an
appropriate certicate request, which created the
second certicate by adding the predicted serial
number and validity period, the Hydra
extensions, and the signature on the MD5 hash.
However, since the rst certicate had the same
MD5 hash, the signature of the second certicate
was a valid signature on the rst certicate too,
and the attackers could use the rst certicate to
sign their Comparison of Flame certificate with
certificate signed by Microsoft is shown in
Figure.3
The biggest challenge for the attackers was to
send the certicate request to the activation
server at the right moment such that the server
returned a certicate with the serial number and
validity period that were used to generate the
hash collision by the attackers. Both the serial

each attempt they had to generate a new
collision pair.
IX. Command and Control Server
C&C communication is defined under the name
GATOR. Resource 146 contains key-value pairs
or templates related to GATOR configuration.
Fifty different domain names related to the C&C
communication and more than 15 distinct IP
addresses are known. C&C servers are changed
frequently by changing the IP address of the
particular host/domain name.

Fig 4.Command and Control server
X. CONCLUSION
In today's era security is at a toss. One should
have a reliable cross-device security platform in
place to protect your PCs, tablets, Smartphone's
and other applicable devices from malware and
malicious attacks. But, these threats appear to be
designed by nation-states, and targeted
specifically at enemy nation-states. Unless you
happen to be a nation-state, you probably have
little to be concerned about.
However, as more of these sophisticate threats
are discovered and reverse-engineered by
security researchers, the tricks and techniques
that make them become public. That means that
your average cyber-criminal malware developers
learn a thing or two and apply some of the
innovations from threats like Flame and future
malware attacks that are aimed at businesses and
consumers.
The bad news is that these threats seem to have
done a very good job of spreading in stealth and
flying under the radar for quite a while before
being discovered. The good news is that as the
techniques used are unraveled, the security
vendors get to learn about the innovative
techniques at the same time as the malware
developers, so as long as you keep you security
software up to date you should be reasonably
protected.
XI. REFERENCES
A. Book References
[1] William Stallings, "Cryptography and
Network Security: Principles and Practice",
Pearson Education, 2011, Fifth Edition.
[2] Behrouz Forouzan, "Cryptography &
Network Security" ,McGraw-Hill,2007,First
Edition.
B. Journal/Magazine References
[1] Ivan Damg_ard. A Design Principle for
Hash Functions. In Gilles Brassard, editor,
CRYPTO, volume 435 of Lecture Notes in
Computer Science, pages 416{427.
Springer, 1989.


[2] Bert den Boer and Antoon Bosselaers.
Collisions for the Compression Function of
MD5. In
[3] Tor Helleseth, editor, EUROCRYPT,
volume 765 of Lecture Notes in Computer
Science, pages 293{304. Springer, 1993.
[4] Whit_eld Di_e and Martin E. Hellman. New
directions in cryptography. IEEE
Transactions On Information Theory,
22(6):644{654, 1976.
[5] Hans Dobbertin. Cryptanalysis of MD5
compress, 1996. Presented at the rump
session of Eurocrypt'96.
C .Web References
[1] http://www.crysys.hu/skywiper/skywiper.pd
f
[2] http://www.securelist.com/en/blog/2081935
22/The_Flame_Questions_and_Answers
[3] http://eprint.iacr.org/2005/067
[4] http://eprint.iacr.org/2006/105
[5] https://www.securelist.com/en/blog/2081935
58/Gadget_in_the_middle_Flame_malware_
spreading_vector_identified
[6] http://www.gfi.com/blog/analyzing-flame-
with-sandbox-technology-webinar-now-
online