Promotions:

FREE Threat Assessment

Find out what is getting through your security systems with a FREE threat assessment

Latest News:

Code Red - The latest zero day vulnerability, the Heartbleed Bug in the OpenSSL cryptographic library. Affects tech providers using OpenSSL's 1.0.1 and the 1.0.2-beta release.

Platform Updates:

Version 1.2: Intrusion Detection

Client Login
Sign on Register Forgot?
  • 01924 919241
Home / Blog / The Flame Virus

The Flame Virus New Type of Ctber Attack

panosec logo
the flame virus

The Flame Virus

The Beginning

Twenty five years ago the worldwide web was invented by Tim Berners Lee. The initial aim was to connect millions of computers to each other. Connecting over what is known today as the Internet. It was one of the greatest inventions ever invented for all mankind. Alongside, the connection medium called the internet. This was initially ignited by the U.S Department of Defence (The Arpanet).

Vitaly Kamlyuk -Kaspersky’s Chief Malware Expert (RT, May 29, 2012) suggests by concluding his research that it seems the U.S Department of Defence, the US Government and other Governmental departments from around the World want to take back control of the web and use it as well as a means to launch cyber attacks. Kamlyuk in the interview claims Cyber Warfare has already been going on for a few years by Governments but because you cannot see it then people are not aware of it. If they are not aware of it then Governments can continue to have “secret wars”. The most powerful Cyber Weapon or (advanced nation-sate malware) ever created is called the Flame Virus.

It was also the Kaspersky Lab requested by the ITU in 2012 to investigate a piece of unknown malware which was deleting sensitive information. (The ITU calls for global collaboration to tackle Cyber Security threats) cited in ITU, (May 2012).

What is the Flame Virus.

Munro Kate. (October 2012) expands our viewpoint of what the Flame Virus is. The Flame virus attacks computers on the Windows Operating System. It was specifically being used to target Middle Eastern Countries and was passing on sensitive information for two years undetected. 40 times larger than Stuxnet which infected the Iran´s Nuclear centrifuges by making them spin out of control under the disguise of normal operation. Flame is also 50 times larger than regular malware.

It contains 20 modules in total, initially not all modules to prevent detection from antivirus software. Most modules finally get deployed on the devices sending sensitive information through to the flame creators.

How the Cyber Attack was Implemented:

FSecure a global IT Security Company wrote a report on how the Flame Virus took infected computers through a Microsoft security flaw. Hypponen, Mikko.(4 Jun 2012)

To summarise one specific module attacks the Microsoft update services system. It loads a program called WVSETUPV.EXE onto a computer. This program is disguised as a valid, signed Microsoft windows update that even links to the correct Microsoft root.

With it cleverly being disguised as a Microsoft update, it would not appear suspicious to the user. The irony was in the solution by Microsoft to remove these three un-trusted certificates via a Microsoft Update. The problem with this as with all Microsoft updates is that if the end user or the network administrator does not install the patch in the form of the Microsoft update this means devices will not be prevented to future similar attacks. Moving forward, Microsoft have configured a new way to issue their update certificates by ensuring each user will have fresh certificates on each update.

Debarati, Roy. (May 30, 2012) The reason why Flame is so much larger is due to it containing many different libraries for compression and database control. The size is also attributed via the use of LUA programming language which interprets numeric code.

Other sources include infected USB memory stick, infected network PC. Spear-phishing email and users using affected websites. The Flame virus looks for many types of sensitive data including email and documents. Flame can record audio and take regular screen shots to send data back to the flame creators over a SSL connection. If Bluetooth is enabled then flame can also pass back information on nearby devices. Flame can also self replicate but via an operator being in control as oppose to a bot.

“It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”

Gostev, Alexander. (May 28 2012) cited in The Flame: Questions and Answers

Legal Issues

The problem with Cyber Attacks is that they are usually cross border acts of crime. As a result laws will differ for each Country; some laws may not be even in place. Ethically, it is wrong to attack Computers to steal data and for espionage. The Laws are taking time to catch up with the rapid level of sophisticated cyber attacks.

One can adopt the International Law approach using Article 51 of the U.N. Charter, which states the right of self-defence. By using legal use of force in response to an “attack”. As summarised from UN. (n.d) Chapter VII: Action with respect to threats to the peace.

Lotrionte, Catherine, (2012) p443. Suggests it will most likely be up to individual Countries through trial and error to develop the laws.

One can look to Europe for guidance and assistance via the European Convention of cybercrime which acts as a guide for any Country developing legislation against Cybercrime and promotes cooperation between other states. Council of Europe (n.d.).Action against economic crime.

The UK and US have evolved some of their laws that could be used. However, these Countries could be the actual source of the attack. Some Countries like the UK already have existing laws that could be used as a legal framework. Such as,

Computer Misuse Act Section 1 – which states the unauthorised access to a program or data and section 3 for virus writing and making hacking tools. Computer Misuse Act 1990, (ch 18) London: HMSO. Human Rights Act 1998 Article 8 – the right to privacy and private family life. Human Rights Act 1998, (ch 42) London: HMSO.

Conclusion:

Flame was a game changer for malware threats. It became an instrumental tool for cyber attacks. Sophisticated threats will mean the requirement for sophisticated proactive security and an agreed robust international legal framework. Otherwise Governments will continue to evolve and use their Cyber weapons. At the very least these attacks are a wakeup call for all businesses nationally as well as internationally to adhere to compliance standards that will help protect their business and customer data.

A business can adopt various international compliance standards such as ISO27001for Security Management, ISO 27032 for Cyber Security Guidelines and PCIDSS for Payment Card Data Security. Certification in these would be advantageous but if they only used these standards as a guideline. This would help them build an ongoing proactive strategy. Either way adopting ISO standards is a great place for a business to start to combat cyber attacks.

Bibliography

Council of Europe (n.d.).Action against economic crime

Available from: http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_e

[Accessed 24/10/16]

Computer Misuse Act 1990, (ch 18) London: HMSO.

http://www.legislation.gov.uk/ukpga/1990/18/contents

[Accessed 24/10/16]

Debarati, Roy. (May 30, 2012)

Flame Malware: All You Need to Know

Available from: http://www.networkworld.com/news/

[Accessed 24/10/16]

Gostev, Alexander.(May 28 2012)

The Flame: Questions and Answers

Available from: https://www.securelist.com/en/blog/

[Accessed 24/10/16]

ITU. (May 2012)

ITU Telecom World 2012 to provide platform to examine core global cybersecurity issues

Available from:

http://www.itu.int/net/pressoffice/press_releases/

[Accessed 24/10/16]

Human Rights Act 1998, (ch 42) London: HMSO.

http://www.legislation.gov.uk/ukpga/1998/42/contents

[Accessed 24/10/16]

Hypponen, Mikko.(4 Jun 2012)

Microsoft update and the nightmare scenario. F-Secure

Available from: www.f-secure.com/weblog/

archives/00002377.html.

[Accessed 24/10/16]

Munro, Kate. (October 2012)

Deconstructing Flame: the limitations of traditional defences

Computer Fraud & Security, Volume 2012, Issue 10,pp. 8-11

Available from: http://www.sciencedirect.com/science/article/pii/

[Accessed 24/10/16]

Lotrionte, Catherine, (2012)

State Sovereignty and Self-Defense in Cyberspace: A Normative Framework for Balancing Legal Rights.

Emory International Law Review, Vol. 26, Issue 2 (2012), pp. 825-920

Available from: http://www.heinonline.org/HOL/

[Accessed 24/10/16]

UN. (n.d) Chapter VII: Action with respect to threats to the peace, breaches of the peace, and acts of aggression

Available from: http://www.un.org/en/documents/charter/chapter7.shtml

[Accessed 24/10/16]

RT. (May 29, 2012)

Flame’ Virus explained: How it works and who’s behind it

Available from: http://rt.com/news/flame-virus-cyber-war-536/

[Accessed 24/10/16]

Author: Ian Ayliffe