Flame elevates security threat of USB drives

While USB drives have long been a security threat, the Flame spying malware brought the use of portable storage devices to a new level of weaponry.

Flame, discovered last month in Iran's oil-ministry computers, used USB ports found on every PC as a pathway to avoid detection by network-guarding security systems. The cleverness of Flame's creators in keeping the malware under the radar was one more example of why it is considered among the most sophisticated espionage-software packages to date.

[Insider (reg. req'd): Extinguishing Flame malware]

Because Flame was looking for highly sensitive data, it had to steal the information from networks without internet connections, yet still be able to connect at some point to a remote command and control server, vendor Bitdefender said in its security labs blog. To do that, Flame would move stolen files and a copy of itself to a memory stick inserted in an infected computer.

When the storage device was plugged into another PC, Flame would check to see if it was connected to the Internet and then copy itself and the stolen files to the new host, which the malware used to compress the data and transmit it to the controller's server over HTTPS.

Flame would not store stolen documents in the new host, unless it was sure there was an Internet connection, Bitdefender said. "This is how it ensures that it has the best chances to call back home and send leaked data to the attacker."

The malware hid in storage devices by naming the folder that contained the malware and stolen data. "Because Windows could not read the name, the folder remained hidden from the user, giving he or she no reason to suspect they were carrying stolen information," Bitdefender said.

"The main idea behind this is something that we have not seen before: the information mule is a person who is used to carry information between two systems," Bitdefender said.

Flame was capable of infecting networked PCs, but that function was turned off to prevent the malware from spreading too far into a network, thereby increasing its chances of detection. Bitdefender acknowledged that the malware creators might also have had an accomplice who acted as a data smuggler in carrying an infected USB drive from one PC to another.

The success Flame creators had in using USB memory sticks will be studied by hackers. "The technicalities of how Flame uses the USB stick is new and shows that attackers who are determined to penetrate deep inside secure environments are using USB devices to gain that access and to exfiltrate the data they discover too," Liam O Murchu, manager of operations for Symantec Security Response, said in an email Tuesday. "Flamer's use of this USB technique shows that this is an avenue of attack that is highly valuable and will be used again and again."

The mode of infection was one more example of Flame's list of sophisticated techniques, which included fooling Microsoft Terminal Services into having its certificate authority generate fake digital signatures. Once embedded in the code, the signatures made Flame appear to be Microsoft software, while the malware altered and updated its code.

Flame has been linked to the Stuxnet malware blamed for damaging uranium-enrichment systems in Iran's nuclear facility in 2010. Kaspersky Labs discovered that a component of Flame, which was created in 2008, was also in the 2009-version of Stuxnet. Quoting anonymous sources in the Obama administration, The New York Times recently reported that Stuxnet was the creation of U.S. and Israeli government agents.

Because Flame and Stuxnet were highly targeted attacks, neither are believed to pose much of a threat to most corporations. Nevertheless, the vulnerabilities exposed by Flame, particularly the flaw in Microsoft's issuance of digital signatures, were significant. Venafi, which sells key and certificate management technology, reported that more than a quarter of Global 2000 companies were vulnerable to attacker using the exploit. Microsoft has released a patch for the hole.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts