SlideShare a Scribd company logo

Flame

Download as PPTX, PDF
M
Matthew Kwong
1 of 14
FLAME: THE NEXT ERA OF ADVANCED DIGITAL WARFARE
A WEAPON MADE OF CODE • In 2010 Stuxnet grabbed headlines for being the first digital weapon that targeted physical infrastructure • The revolution did not stop there: in 2012 a new type of malware was found attacking computers all around the world • Known as “Flame”, this malware was vastly more complex than either Stuxnet or Duqu • Flame is NOT the successor to Stuxnet – Flame is built on an entirely different platform • However Flame has sections of code which are identical to an early variant of Stuxnet
CYBER ESPIONAGE – STEALING INFO • Flame is meant to steal vast quantities of information • Information is stolen from an infected computer using a variety of methods: browsing storage, log keystrokes, turning on the webcam and Bluetooth • Flame supports multiple encryption and compression methods to obscure the information it gathers • All gathered information is sent to a remote C & C server if a network connection • Or Flame can infect a USB stick, spread to another computer and use it’s network connection to transmit data
WHAT DO BEETLEJUICE, MICROBE AND BUNNY HAVE IN COMMON? • All three – and many others – are examples of modules include in Flame • Flame has a wide range of functionalities and each function is handled by a specific module • Beetlejuice turns on the Bluetooth and Microbe turns on the microphone for information gathering • Security checks for the presence of security software • The purpose of modules such as Bunny and Driller are currently unknown • Flame installs its modules on an infected computer, unlike Duqu which downloads them as needed
CYBER ESPIONAGE – NOT GETTING CAUGHT • As mentioned before Flame checks for any security software installed, using an extensive list of over 300 entries • The malware can even modify itself depending on what kind of security product is installed, such as its extension type • Flame injects code into running processes like other malware, but does so in a way that cannot be found using a conventional memory scan • Flame is engineered to cause minimal disruption – creates mutexes to keep only one instance of itself running
THE SPREAD OF FLAMES • Flame has multiple means for spreading itself to other computers • The malware can infect a USB stick; when the USB stick is plugged into another computer, Flame will infect the new device • A more ingenious method is to disguise itself as an installer for Windows Update • Man-in-the-Middle Attack: when nearby devices attempt to download updates, they are in fact connecting to the infected computer and downloading malware
Compute r Compute r Infected Computer Windows Server •The computer infected with Flame is disguised as a proxy for Windows Update •Other devices connect to the infected computer, believing it to be a legitimate proxy for Windows •But in actuality they are downloading and installing Flame, not actual updates •For this to work Flame must appear as if it were created by Microsoft; requires a fake certificate and signature
Microsoft Activation Server Licensing ServerClient Public KeyPrivate Key •When a licensing server is activated, it may obtain a certificate from Microsoft in an automated process •The licensing server generates a public and private key pair, than sends an activation request to the activation server along with the public key •The activation server responds with a certificate for the public key, signed by a Microsoft issuing authority •Since the private key matches the public key (as well as the certificate), the private key can now be used to sign licenses
PROBLEMS? • Process is automated – no verification of the person who is actually requesting the certificate • No identifying information on the certificate, only the licensing server name • No restrictions on how the certificate may be used – meant to be used to sign licenses, but the private key may also be used to sign code (such as Flame) • Essentially this allows anyone with a licensing server to obtain their own certificate and sign code as if it were made by Microsoft
ZERO DAY: CREATING FAKE YET VALID CERTIFICATES • Certificates signed by Microsoft in this way have a Hydra Extension • The Hydra Extension prevents certificates from being validated on Vista and Windows 7 • The attackers wanted Flame to validate on all versions of Windows; hence they needed to make their own fake certificate that would not have the Hydra extension • In order for this fake certificate to validate as being legitimately signed by Microsoft, it would need the same hash value as an authentic certificate
MD5 HASH COLLISION ATTACK • MD5 refers to the algorithm used to generate hash values – input a file into the algorithm and it will generate a hash value to identify the file • Ideally there are no overlap of hash values and each unique file will have its own hash value • A hash collision attack creates two different files that when placed into the algorithm, will generate the same hash value being assigned to both files • This is done by adding specially computed blocks to both files until their hash values match, or “collide” with each other
HASH COLLISION IN FLAME • The attackers used a hash collision attack to create a fake certificate that would match the hash value of an authentic certificate, signed by Microsoft • This fake certificate would not have the Hydra extension and can be used on all versions of Windows • But how would the attackers know the exact hash value of the authentic certificate, before Microsoft had even issued it? • Answer is they do not: the attackers would have to predict the hash value of the signed certificate along with all the other information on it
First Certificate Second Certificate •Attackers would begin by using hash collision to create two certificates with matching hash values •The public key for the second certificate would be sent to the activation server, as a normal activation request •Activation server would respond by recreating the certificate that the attackers predicted would be made •When successful, the result is a fake certificate that matches the hash value of an authentic certificate Fake Certificate Authentic Certificate Flame Activation Server
THE RESULT • The attackers would have a fake certificate that matches the hash value of an authentic certificate • The content of the fake certificate would be different – it has no hydra extension and the device name is “MS” to spoof Microsoft • But digital signatures depend on hash value: since the hash values of the fake and authentic certificate are identical, the fake certificate can now be used to sign code • Thus the fake certificate was used to sign Flame, allowing it to validate as Windows Update on all versions of Windows

Recommended

Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
Quick Heal Technologies Ltd.
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
Aaron Lancaster
 
Zero day exploit
Zero day exploitZero day exploit
Zero day exploit
Aashiq Ahamed N
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
inder_barara
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
Earl Carter
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
Apurv Singh Gautam
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 

Recommended

Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
Quick Heal Technologies Ltd.
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
Aaron Lancaster
 
Zero day exploit
Zero day exploitZero day exploit
Zero day exploit
Aashiq Ahamed N
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
inder_barara
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
Earl Carter
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
Apurv Singh Gautam
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
Vishnuvardhan Reddy
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
sadhana21297
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organization
Sophos Benelux
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
Sripati Mahapatra
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
stollen_fusion
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
Luis Grangeia
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware Epidemic
Tripwire
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
Mohd Harris Ahmad Jaal
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
kalyan kumar
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
NetFort
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytes
n|u - The Open Security Community
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
Cymmetria
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
Cymmetria
 
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
heejaekim
 
Organizational Velocity
Organizational VelocityOrganizational Velocity
Organizational Velocity
Myron McGhee Sr.
 

More Related Content

What's hot

BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 

What's hot (20)

Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organization
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware Epidemic
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
 
Null hyderabad - October Newsbytes
Null hyderabad - October NewsbytesNull hyderabad - October Newsbytes
Null hyderabad - October Newsbytes
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
 

Viewers also liked

인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
heejaekim
 
irrational choices in milton's epic poetry (1)
irrational choices in milton's epic poetry (1)irrational choices in milton's epic poetry (1)
irrational choices in milton's epic poetry (1)
Matthew Kwong
 
Diapositivas 2
Diapositivas 2Diapositivas 2
Diapositivas 2
rocioch14
 
Responding to Victims of Identity Crime
Responding to Victims of Identity CrimeResponding to Victims of Identity Crime
Responding to Victims of Identity Crime
Matthew Kwong
 

Viewers also liked (16)

인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
인독토 화면 합치기 마지막 최종01)버전낮춘거 진짜최종
 
Organizational Velocity
Organizational VelocityOrganizational Velocity
Organizational Velocity
 
5주피티
5주피티5주피티
5주피티
 
12피티
12피티12피티
12피티
 
Aula 01 - 12-06-2015
Aula 01 - 12-06-2015Aula 01 - 12-06-2015
Aula 01 - 12-06-2015
 
multiplicidade - CLS aula 9
multiplicidade - CLS aula 9multiplicidade - CLS aula 9
multiplicidade - CLS aula 9
 
irrational choices in milton's epic poetry (1)
irrational choices in milton's epic poetry (1)irrational choices in milton's epic poetry (1)
irrational choices in milton's epic poetry (1)
 
NCTS
NCTSNCTS
NCTS
 
Relatório Anual SocioAmbientar 2012
Relatório Anual SocioAmbientar 2012Relatório Anual SocioAmbientar 2012
Relatório Anual SocioAmbientar 2012
 
Diapositivas 2
Diapositivas 2Diapositivas 2
Diapositivas 2
 
Cv taha 1
Cv taha 1Cv taha 1
Cv taha 1
 
Computer lessons 2
Computer lessons 2Computer lessons 2
Computer lessons 2
 
Ley 30 de 1992 colombia
Ley 30 de 1992 colombiaLey 30 de 1992 colombia
Ley 30 de 1992 colombia
 
Responding to Victims of Identity Crime
Responding to Victims of Identity CrimeResponding to Victims of Identity Crime
Responding to Victims of Identity Crime
 
Masa Kenozoikum (SMA)
Masa Kenozoikum (SMA)Masa Kenozoikum (SMA)
Masa Kenozoikum (SMA)
 
Yousef Taha c.v
Yousef Taha c.vYousef Taha c.v
Yousef Taha c.v
 

Similar to Flame

Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
Harshil Barot
 

Similar to Flame (20)

Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and Worms
 
Internet security
Internet securityInternet security
Internet security
 
Network and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan AnjumNetwork and Security | by M.Hassaan Anjum
Network and Security | by M.Hassaan Anjum
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
Security framework
Security frameworkSecurity framework
Security framework
 
Malware
MalwareMalware
Malware
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Cyber Security.pdf
Cyber Security.pdfCyber Security.pdf
Cyber Security.pdf
 
Computer virus
Computer virusComputer virus
Computer virus
 
Cyber security
Cyber securityCyber security
Cyber security
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To Malware
 
Malware
MalwareMalware
Malware
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
 

Flame

  • 1. FLAME: THE NEXT ERA OF ADVANCED DIGITAL WARFARE
  • 2. A WEAPON MADE OF CODE • In 2010 Stuxnet grabbed headlines for being the first digital weapon that targeted physical infrastructure • The revolution did not stop there: in 2012 a new type of malware was found attacking computers all around the world • Known as “Flame”, this malware was vastly more complex than either Stuxnet or Duqu • Flame is NOT the successor to Stuxnet – Flame is built on an entirely different platform • However Flame has sections of code which are identical to an early variant of Stuxnet
  • 3. CYBER ESPIONAGE – STEALING INFO • Flame is meant to steal vast quantities of information • Information is stolen from an infected computer using a variety of methods: browsing storage, log keystrokes, turning on the webcam and Bluetooth • Flame supports multiple encryption and compression methods to obscure the information it gathers • All gathered information is sent to a remote C & C server if a network connection • Or Flame can infect a USB stick, spread to another computer and use it’s network connection to transmit data
  • 4. WHAT DO BEETLEJUICE, MICROBE AND BUNNY HAVE IN COMMON? • All three – and many others – are examples of modules include in Flame • Flame has a wide range of functionalities and each function is handled by a specific module • Beetlejuice turns on the Bluetooth and Microbe turns on the microphone for information gathering • Security checks for the presence of security software • The purpose of modules such as Bunny and Driller are currently unknown • Flame installs its modules on an infected computer, unlike Duqu which downloads them as needed
  • 5. CYBER ESPIONAGE – NOT GETTING CAUGHT • As mentioned before Flame checks for any security software installed, using an extensive list of over 300 entries • The malware can even modify itself depending on what kind of security product is installed, such as its extension type • Flame injects code into running processes like other malware, but does so in a way that cannot be found using a conventional memory scan • Flame is engineered to cause minimal disruption – creates mutexes to keep only one instance of itself running
  • 6. THE SPREAD OF FLAMES • Flame has multiple means for spreading itself to other computers • The malware can infect a USB stick; when the USB stick is plugged into another computer, Flame will infect the new device • A more ingenious method is to disguise itself as an installer for Windows Update • Man-in-the-Middle Attack: when nearby devices attempt to download updates, they are in fact connecting to the infected computer and downloading malware
  • 7. Compute r Compute r Infected Computer Windows Server •The computer infected with Flame is disguised as a proxy for Windows Update •Other devices connect to the infected computer, believing it to be a legitimate proxy for Windows •But in actuality they are downloading and installing Flame, not actual updates •For this to work Flame must appear as if it were created by Microsoft; requires a fake certificate and signature
  • 8. Microsoft Activation Server Licensing ServerClient Public KeyPrivate Key •When a licensing server is activated, it may obtain a certificate from Microsoft in an automated process •The licensing server generates a public and private key pair, than sends an activation request to the activation server along with the public key •The activation server responds with a certificate for the public key, signed by a Microsoft issuing authority •Since the private key matches the public key (as well as the certificate), the private key can now be used to sign licenses
  • 9. PROBLEMS? • Process is automated – no verification of the person who is actually requesting the certificate • No identifying information on the certificate, only the licensing server name • No restrictions on how the certificate may be used – meant to be used to sign licenses, but the private key may also be used to sign code (such as Flame) • Essentially this allows anyone with a licensing server to obtain their own certificate and sign code as if it were made by Microsoft
  • 10. ZERO DAY: CREATING FAKE YET VALID CERTIFICATES • Certificates signed by Microsoft in this way have a Hydra Extension • The Hydra Extension prevents certificates from being validated on Vista and Windows 7 • The attackers wanted Flame to validate on all versions of Windows; hence they needed to make their own fake certificate that would not have the Hydra extension • In order for this fake certificate to validate as being legitimately signed by Microsoft, it would need the same hash value as an authentic certificate
  • 11. MD5 HASH COLLISION ATTACK • MD5 refers to the algorithm used to generate hash values – input a file into the algorithm and it will generate a hash value to identify the file • Ideally there are no overlap of hash values and each unique file will have its own hash value • A hash collision attack creates two different files that when placed into the algorithm, will generate the same hash value being assigned to both files • This is done by adding specially computed blocks to both files until their hash values match, or “collide” with each other
  • 12. HASH COLLISION IN FLAME • The attackers used a hash collision attack to create a fake certificate that would match the hash value of an authentic certificate, signed by Microsoft • This fake certificate would not have the Hydra extension and can be used on all versions of Windows • But how would the attackers know the exact hash value of the authentic certificate, before Microsoft had even issued it? • Answer is they do not: the attackers would have to predict the hash value of the signed certificate along with all the other information on it
  • 13. First Certificate Second Certificate •Attackers would begin by using hash collision to create two certificates with matching hash values •The public key for the second certificate would be sent to the activation server, as a normal activation request •Activation server would respond by recreating the certificate that the attackers predicted would be made •When successful, the result is a fake certificate that matches the hash value of an authentic certificate Fake Certificate Authentic Certificate Flame Activation Server
  • 14. THE RESULT • The attackers would have a fake certificate that matches the hash value of an authentic certificate • The content of the fake certificate would be different – it has no hydra extension and the device name is “MS” to spoof Microsoft • But digital signatures depend on hash value: since the hash values of the fake and authentic certificate are identical, the fake certificate can now be used to sign code • Thus the fake certificate was used to sign Flame, allowing it to validate as Windows Update on all versions of Windows