UPDATED 13:52 EDT / JUNE 12 2012

NEWS

Flame Malware Turns Unwitting Humans Into Data Mules

The cyberworld was shocked when it was reported that a certain malware was found which exceeded the prowess of the Stuxnet malware.

The Flame malware is a sophisticated computer virus that targets computers in Iran and other Middle East countries designed to gather private data from the said computer systems.  The virus is believed to be in existence since 2007 and is said to be part of a state-sponsored attack from the American and Israeli governments–the same team that created Stuxnet to sabotage Iran’s Natanz nuclear enrichment facility.  The Flame virus is a 20MB in size, dwarfing Stuxnet’s code by a factor of 20.

But the information mentioned above is nothing compared to the recent discovery that the Flame virus can turn humans into carriers.

Okay, not to create panic, it’s not actually a health-affecting biological virus but the Flame virus can be transmitted by humans via flash drives.  This isn’t something new as most malware can be transmitted from one computer to another via flash drives but the main difference is that the virus transmits stolen data.

“It turns users into data mules,” said Bitdefender senior malware analyst Bogdan Botezatu. “Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is is somewhat revolutionary for a piece of malware.”

Flame works by copying itself and the stolen data to a folder labelled “.” which Windows fails to interpret as a folder name which makes it invisible to users.  When the computer where the data was stolen doesn’t have an internet connection and the user plugged in a USB, that’s when the disguise begins.  It then patiently waits for the next time the USB is plugged in to a computer network connected to the internet and then moves the stolen data from the USB to the connected computer, compress the data and send it to its command and control server.

“Most of the infrastructure it targets is highly contained, often without Internet access,” said Botezatu. “It’s natural for Flame to have a mechanism for moving data from one environment to another that doesn’t rely on Internet or network communications.”

Another discovery is that Flame uses “a yet unknown MD5 chosen-prefix collision attack” wherein “two different sources of plaintext generate identical cryptographic hashes.”  According to reports, Flame spoofs digital certificates to make it appear that it came from Microsoft to trick users.

“It’s not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough,” Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, said in an interview with Ars Technica. “There were mathematicians doing new science to make Flame work.”


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU