Thursday, May 31, 2012

Will we get burned by our own Flame?


Screen shot courtesy of Alexander Gostev/SecureList 
This code sample from the Flame virus shows where the malware got its name. It is 20 MB in size – huge by typical malware standards – and is an extremely difficult piece code to analyze. 
Looks like the days of cloak and dagger are over.

Today’s espionage seems to be all about computers and data.

On Tuesday it was reported that thousands of computers in Iran and across the Mideast have been infected with a sophisticated new virus called Flame.

Unlike previous malware attacks on Iran which were designed to disable or disrupt the infected computers, Flame appears to be just snooping around and gathering as much information as possible. According to Alexander Gostev, the head of the Global Research and Analysis Team at Kaspersky Lab, a Russian information-technology security firm known for its antivirus software, Flame can steal data in some unique ways, like turning on a computer's microphone to record audio, scanning for Bluetooth-active devices and taking snapshots of computer screens.

“The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness – the ability to steal data in so many different ways,” he writes in his recent SecureList blog posting. “Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.”

“The malware [also] has the ability to regularly take screenshots,” he continued.  “What’s more, it takes screenshots when certain ‘interesting’ applications are run, for instance, IMs.”

Prior to Flame’s discovery, the only “super-viruses” that existed were in the movies or on TV. They were usually the product of some super-rich megalomaniac bent on world domination or a small group of super-smart hackers or some shady cabal with nefarious goals.  But now it seems some government has taken a page from Hollywood’s playbook.

I say government, because cybersecurity researchers interviewed by The Wall Street Journal  said “the complexity of Flame's coding and comprehensiveness of its spy capabilities could suggest it was the work of a government.”

“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states,” Gostev said. “Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the
research that went into it.”

Now I am not suggesting that our government shouldn’t be engaging in this type of cyber-espionage. On the contrary, I think we and our allies need to do anything necessary to stop Iran or any other governments controlled by radicals and/or fanatics of any sort from developing nuclear weapons.

But my fear is that we are releasing the proverbial genie from the bottle and are making ourselves vulnerable to the same kind of attacks.  It’s well known that the Chinese military already employs hackers whose sole job it is breach the other country’s computer systems.  According to some secret government documents which were leaked to WikiLeaks in December 2010, U.S. government agencies have been targeted several times with phishing attacks (social engineering attacks) since late 2002.  

If we are going to engage in this kind of cyberwarfare, then we as a country need to be damn sure our critical computerized infrastructure  systems are secure.

And they are not.

Just ask former N.J. governor Tom Kean and former Indiana congressman Lee Hamilton, who were co-chairs of the 9/11 Commission and now run the Bipartisan Policy Center's Homeland Security project. 

"Much like the situation before the September 11, 2001, attacks, the federal government is not adequately organized to deal with a significant emerging national security threat,"  Kean and Hamilton said in a letter sent to Senate leaders urging action on cybersecurity. Both men cited recent statements by Director of National Intelligence James Clapper and FBI DIrector Robert Mueller warning that the cyber threat is expected to overshadow other terrorist threats facing the United States in the not-too-distant future.

If that doesn’t worry you, take a look at the U.S. government’s own Computer Emergency Response Team’s (CERT) web site. The number of patches issued by software vendors to close recently discovered security problems in the software we use everyday is staggering as is CERT’s list of current vulnerabilities.

This isn’t a problem that just affects Microsoft products. As demonstrated by the Flashback  virus, even Apple products – which many believed to be immune to such attacks – are susceptible.

Cybersecurity isn’t just a government matter. We need to get our private sector to take it seriously too. We need them to start producing better software that can’t be exploited by every hacker with a few hours to kill and hardware that is less vulnerable to being hijacked.

The general public also has a role to play. Everyone who uses a computer should make it their business to learn how to protect themselves online. And I’m not talking about just creating passwords that are harder to guess than your kid’s birthdates or your pet’s name.

As a computer technician you would be surprised by how many viruses I’ve had to remove from the computers of otherwise intelligent people because they fell for some scam that they never would have fallen for in real life, or because they just clicked on some link or downloaded some “program”  or screensaver without thinking.

Flame should be our wakeup call that we need to strengthen our cyberdefenses now, least we get burned by it later.

1 comment:

  1. Why does this bring visions of Hal from 2001 or Colossus the Forbin project to mind; let alone the Terminator. Wouldn't it be ironic if real AI developed from sophisticated malware?

    ReplyDelete