The Flame malware toolkit, used in a cyberespionage campaign, highlights stark differences between the approach western cyberintelligence operations have carried out versus those used by China, according to a prominent malware security expert.
They could reuse that code throughout and build complex systems for stealing data without actually having to know all the intricacies of programming or how Trojans work at a low level.
Joe Stewart, director of malware research, Dell Secureworks
Flame was designed as a monolithic framework to enable people to carry out attacks without having deep knowledge of software coding or the way malware works, said Joe Stewart, director of malware research at Dell Secureworks. Flame appears to have been designed to help agents in the field deploy it easily, using only the components necessary to gather the intelligence needed, Stewart said.
“They get a lot more flexibility and a lot more uniformity,” Stewart said of the Flame malware toolkit. “They can take this framework and can train any number of people to use it in exactly the same way.”
Flame is believed to be part of a joint U.S.-Israeli operation, according to a report citing anonymous officials by the Washington Post. The targeted attack was detected by the Iranian Computer Emergency Response Team and made public in May by Kaspersky Lab. It infected less than 200 systems in Iran, and was detected on machines in other countries in the Middle East and North Africa. Sources cited by the Post said Flame was part of the intelligence-gathering operation that led up to the Stuxnet attack designed to disrupt the centrifuges used by Iran’s uranium enrichment program.
China’s use of malware to conduct cyberespionage in recent years has been completely different, said Stewart. Those involved with targeting and deploying malware mainly operate in isolation, using a vast array of malware to maintain persistence on a network.
“They don’t really have a way to work as a team and share code that does a particular thing,” Stewart said. “Instead of a giant, monolithic framework, they tend to use a lot of small, different Trojans so that when they are detected eventually, it doesn’t affect the rest of their operation.”
Stewart said both approaches have their benefits and drawbacks. Malware believed to be tied to China cyberespionage operations is detected often, but typically it doesn’t matter because forensics teams know there is likely additional malware to enable the attacker to maintain their presence on the systems, he said. Meanwhile, an attack toolkit the size of Flame offers flexibility for agents in the field, but once it is detected its effectiveness is greatly diminished.
“If you have something like Flame, you’ve kind of put all your eggs in one basket,” Stewart said. “Now that people know what Flame is and every antivirus company on the planet can detect it, where do you go from here?”
In an interview with SearchSecurity.com, Stewart explained why the scope of the Flame project was impressive, and the benefits and drawbacks of the different approaches nation-states take in their attack methods. He also explored why botnet infections are a serious problem for enterprises and how botnet operators use social media and other tactics to avoid detection.
What is your analysis of the Flame malware toolkit, which is believed to be nation-state sponsored?
Stewart: It was definitely interesting. The scope of the project was impressive. Much like any large software project, there are a lot of pieces to it. It incorporates a lot of different technologies. None of these technologies were created specifically for this purpose or are pioneering, but someone tried to develop a platform with a lot of flexibility and a lot of capability. This is pretty much what you would expect, if you try to imagine what kind of capabilities are available to nation-state actors or people who are involved in espionage at a high level. You could imagine that if they were hacking, they would have to have some sort of platform to maintain some kind of long-term persistence on a network. Each group that is involved in this kind of activity has to have a framework of some sort.
There’s an interesting contrast between whoever is behind Flame and the way they chose to be involved with in, and other actors that have been involved with this for a long time. If you look to the activity coming out of China – what we’ve seen for several years – instead of a giant, monolithic framework, they tend to use a lot of small, different Trojans so that when they are detected eventually, it doesn’t affect the rest of their operation; they can continue long term. They don’t have a problem because you detected that one Trojan. They have 20 or 30 more they can continue using and can continue just fine and maintain their persistence. If you have something like Flame, you’ve kind of put all your eggs in one basket. Now that people know what Flame is and every antivirus company on the planet can detect it, where do you go from here? Do you completely architect your entire framework so it’s brand new and not detected? You can’t really use too much of the old code. So there are different approaches that different nation-state actors from different areas have, but they’re all working toward the same goal of having a framework within which to operate.
What is the advantage of taking the opposite approach to China’s methods?
Stewart: The advantage is they get a lot more flexibility and a lot more uniformity. They can take this framework and can train any number of people to use it in exactly the same way. If you want a new module you can use this scripting language and make it do function x. They could reuse that code throughout and build complex systems for stealing data without actually having to know all the intricacies of programming or how Trojans work at a low level. You can hand this to less experienced people and have them accomplish their goal. You can get a lot of them working within the same framework and they are all trained the same way. As opposed to the Chinese approach where lots of people are doing their own thing, using the malware they are comfortable with, but they don’t really have a way to work as a team and share code that does a particular thing.
When I think of botnets I think of spam, denial-of-service (DoS) attacks and click fraud. What are some of the other threats posed by botnets?
Stewart: Botnets have their own particular purpose and ways of doing things depending on what the author has in mind. There are lots of botnets out there that are just designed to install other botnets. That’s what they get paid to do. All they are is just another platform. Then there are botnets designed to steal data such as Zeus and SpyEye. It can be things that are designed just to steal passwords for Facebook or Twitter or to webmail to send spam. It can be about stealing your gaming credentials so they can log into your online gaming account, stealing all your valuable items and auctioning those off somewhere else. Some things will directly try to lock up your desktop so you can’t use it or encrypt all your files so you can’t access them and then find some way of making you spend a small amount of money to get that access back. The more threatening stuff is designed to completely steal any kind of intellectual property and they’re highly focused on companies and governments.
Once you start amassing a large botnet, cybercriminals can rent out pieces of it as well, is that correct?
Stewart: Sure. I think most business models we’ve seen about renting botnets are renting out the service that the botnet provides, which is most often distributed denial-of-service (DDoS). Theycan also be used for fraud. In some cases they don’t rent the botnet itself, but they rent the product of the botnet. For instance, you might not to rent a botnet to steal credentials for particular bank, but you could get someone else that has a botnet that is stealing credentials and has a remote database somewhere. You could buy access to that database.
Fundamentally, you’ve said there hasn’t been a whole lot of change in the makeup of botnets over the years. Are there some advancements in terms of communication or techniques for command and control?
Stewart: There have been some techniques. We really have the rise of social media and it gives people a quick and easy way to post a small bit of content somewhere, as in a Twitter feed or a Facebook post. These have made ideal, covert communication channels for bots to look for and receive commands. Hardly any company is going to look twice at somebody within their organization visiting a Twitter account. They are just not going to think that there is anything necessarily bad about that. This may be a bots primary communications channel and it can fly right under the radar if they do it correctly.
There has been a lot of hype around mobile threats. There has been talk about botnet operators potentially harvesting the power of mobile devices as part of an attack. Is that possible?
Stewart: I suppose it is possible, but you are not leveraging very much. The mobile networks don’t have much bandwidth, so you’re not gaining as much as you would if you took over a broadband connection. I think for that reason, mobile malware has been limited to a few specific categories. These are things that are sending out SMS messages for spam or for premium charges that go to the bot owner. Or it’s just a case of getting on the mobile platform in order to use it as part of a multifactor authentication bypass to support standard malware on your computer trying to log into your bank account. I don’t think you can say at this time that someone will get a whole lot of value out of a mobile botnet. There are certain categories where it is useful, but as a DDoS botnet it would probably be pretty abysmal.