Monday, June 4, 2012

Flame - Stuxnet: Internet Spying?

Flame Virus in the attack                                           [Image by Curtis Edenfield]

Click here for related article [Wired Magazine]

Stuxnet was a nasty virus which disrupted Iran's nuclear IT servers and programs, reportedly a joint product of US and Israeli Intelligence.  It was joined by DuQu, an equally powerful, and of as-yet undetermined origin, but with similar capabilities to Stuxnet  -- and Flame.

And, we all went "Hurrah!" the Iranian "nuclear threat" is gone, and Netanyahu won't be able to initiate World War 3 with his belligerent saber rattling over Iran's non-existent nuclear weapon threat!

The Blue Screen of Death                    [Wikipedia]

But, now, we have FLAME! 
A whole new breed of virus 40 times more powerful than Stuxnet -- which might become the AIDS virus of the Internet.  Is it an Israeli product grown from the cooperative effort between the US and Israel which they are flaunting to the world to demonstrate they can disrupt the IT universe? 

Or, perhaps the Chinese, who have legions of hackers constantly targeting US and Allied Defense and Intelligence systems around the world?  We're concerned it might be the Chinese; but we're more worried it might be Israel acting independently.

(c) Kapersky

To date, Flame has targeted Iran, Lebanon,  Syria, Sudan, and occupied territories in Israel.  The targeting alone pretty much rules out China; why would China care about Lebanon, for example?

Stuxnet was designed to disrupt software, operating systems, and IT equipment.  The coding is similar to that now found in Flame - which covertly gathers and transmits data, and builds code to adapt to changing environments.  Flame also opens a "back door" through which to program infected computers for new espionage/sabotage tasking.  Professor Alan Woodward commented on BBC that " can steal everything [typed] from the keys you are pressing to what is on your screen, to what is being said near the machine.

Light years ahead of the US in electronic surveillance
Flame, only recently discovered, may be an extension of electronic espionage, conducted by the KGB during the Cold War, in which they were able to monitor keystrokes from electric typewriters in US embassies and military headquarters  -- far in advance of US technologies of that period; we can only assume the Russians have progressed since then.

Is the new KGB operating at warp speed now, foregoing military might for internet control?  But, does Russia have an interest in Lebanon, or the West Bank?  Or, should we assume some of those Cold War era KGB programers emigrated to Israel and were recruited by Mossad?  Given the targeting of flame, we may have to eliminate the KGB as the culprit.  If it's an Israeli virus, we're very impressed; terrified, but impressed.

Here are some of Flame's capabilities and functions within an infected IT system:
1)  Activate a computer's microphone to record/transmit nearby conversations or over Skype
2)  Convert Bluetooth enabled computers into a "Bluetooth Beacon" to capture names and phone numbers from nearby Bluetooth devices.
3)  Capture and store screenshots on monitors, to include email and instant messaging - sending that content via a hidden SSL channel back to the hacker.
4)  Scanning capability to track all traffic on a local network, collecting usernames and passwords transmitted across the network.
5)  All of the above to capture administrative accounts and hijack administrator privileges for all computers in a network.

Matrix = Reality?
This is no small or innocuous virus, but is so massive it has to enter IT systems in component elements, the first of which is a six megabyte file containing a group of other compressed files -- like zip files, which are later expanded within they system, and which in-turn, serve as hosts for later more functional files entering like Java applets or cookies..

Although computer geeks firmly believe Stuxnet and Flame are unrelated, there is a common denominator in that Flame, like Stuxnet, spreads the virus via infected USB autorun and spooler functions.  The variance comes in that the hacking functions are not automatic, but are manually controlled by the hackers on "at will" commands.

(c) St Martin's Press
Ultimately, Flame can be undetectable as it appears to have a Zero Day functionality; i.e., the malware detects a vulnerability, assesses it, but does nothing to exploit it until ordered to do so by the hacker.  The Zero Day term means that security folks or developers, unaware of the threat, have Zero time to protect against the attack once initiated by the hacker. 

Kind of like the attacks on Pearl Harbor or on the USS Liberty.

So, what now?

We can only assume that the entire IT community is vulnerable.  We know the Administration has been anxious to gain control of the Internet and cell phone systems, and the Flame virus would seem like a proficient mechanism to create such control. 

But, that would label the Administration as the threat -- and of course, we know that can't be true.

Why, we've come to think of our government as a benevolent Big Brother!