Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries.
Its discovery was announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. The last of these stated in its report that it "is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."
Based on F-Secure Threat report for (H1 2012) Here are 10 interesting facts about Flame:
- Flame has a keylogger and screengrabber.
- Flame has built-in SSH,SSL and LUA libraries.
- Flame searches for all Office documents, PDF files, Autodesk files and text files on the local drives and on the network drives. Since there would easily be too much information to steal, it uses IFilters to extract text excerpts from the documents. These are stored in a local SQLite database and sent to the malware operators. This way they can instruct the malware to hone in on the really interesting material.
- Flame can turn on the microphone of the infected computer to record discussions spoken near the machine. These discussions are saved as audio files and sent back to the malware operators.
- Flame searches the infected computer and the network for the image files taken with digital cameras. it extract the GPS location from these images and sends it back to the malware operators.
- Flame checks if there are any mobile phones paired with the infected computer via Bluetooth. If so, it connects to the phone and sends it to the malware operators.
- The stolen info is sent out by infecting USB sticks that are used in an unfected machine and copying and encrypted SQLite database to the sticks, to be sent when they are used outside of the closed environment.This way data can be exfiltrated even from a high-security environment with no network connectivity.
- Flame creates a local proxy which it uses to intercept traffic to Microsoft update and drop a fake update onto the machine. This is used to spread Flame to other machines in a local area network. The fake update was signed with a certificate linking up to Microsoft root, as the attackers found a way to repurpose Microsoft Terminal Server license certificates. Even this wasn't enough to spoof newer Windows versions, so they did some cutting-edge cryptographic research and came up with a completely new way to create hash collisions, enabling them to spoof the certificate. They still needed a supercomputer though. And they've been doing this silently since 2010.
- When Flame was finally busted, the attackers got busy destroying all evidence and actively removing the infections from the affected machines.
- Latest research proves that Flame is indeed linked to Stuxnet. And just one week after Flame was discovered, US Government admitted that they had developed Stuxnet together with the Israeili Armed Forces.