The cyberworld was shocked when it was reported that a certain malware was found which exceeded the prowess of the Stuxnet malware.
The Flame malware is a sophisticated computer virus that targets computers in Iran and other Middle East countries designed to gather private data from the said computer systems. The virus is believed to be in existence since 2007 and is said to be part of a state-sponsored attack from the American and Israeli governments–the same team that created Stuxnet to sabotage Iran’s Natanz nuclear enrichment facility. The Flame virus is a 20MB in size, dwarfing Stuxnet’s code by a factor of 20.
But the information mentioned above is nothing compared to the recent discovery that the Flame virus can turn humans into carriers.
Okay, not to create panic, it’s not actually a health-affecting biological virus but the Flame virus can be transmitted by humans via flash drives. This isn’t something new as most malware can be transmitted from one computer to another via flash drives but the main difference is that the virus transmits stolen data.
“It turns users into data mules,” said Bitdefender senior malware analyst Bogdan Botezatu. “Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is is somewhat revolutionary for a piece of malware.”
Flame works by copying itself and the stolen data to a folder labelled “.” which Windows fails to interpret as a folder name which makes it invisible to users. When the computer where the data was stolen doesn’t have an internet connection and the user plugged in a USB, that’s when the disguise begins. It then patiently waits for the next time the USB is plugged in to a computer network connected to the internet and then moves the stolen data from the USB to the connected computer, compress the data and send it to its command and control server.
“Most of the infrastructure it targets is highly contained, often without Internet access,” said Botezatu. “It’s natural for Flame to have a mechanism for moving data from one environment to another that doesn’t rely on Internet or network communications.”
Another discovery is that Flame uses “a yet unknown MD5 chosen-prefix collision attack” wherein “two different sources of plaintext generate identical cryptographic hashes.” According to reports, Flame spoofs digital certificates to make it appear that it came from Microsoft to trick users.
“It’s not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough,” Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, said in an interview with Ars Technica. “There were mathematicians doing new science to make Flame work.”