Follow by Email

Saturday, June 30, 2012

Hackers, Part 4: Flame

Remember World War II? Well I don't, because I wasn't alive then! But seriously there is a story or two from WWII that caught my attention a few years ago. In particular, the story of Bletchley Park, of the Enigma cipher and of the mathematicians that broke the code. This heroic story was repeated in several places simultaneously, like the Hawaii-based group that helped break the Japanese Naval cipher JN-25, resulting in a decisive victory at the Battle of Midway. And they were in turn aided by Dutch and British groups.

It was the code breakers at Bletchley Park that pioneered progress in computers, with Claude Shannon and Alan Turing. Often only a nation-state has vast resources and is willing to do the research and gather the best people to make that progress. A similar thing happened at Los Alamos with the Manhattan Project, only on a much larger scale, and in a different field.

With hacking, a similar thing happens. Though individual hackers are very resourceful, the majority of their capabilities builds on the shoulders of others. The zero-day exploits are available on the web. The tools for hacking are available on warez sites. Capture one virus and disassemble it, then modify it. No, individuals rarely are the sharp point on the spear of progress in the really hard problems. They may make discoveries, but not usually the breakthroughs. It has been the nation-state that usually makes that progress and funds the research. The US has a very secret organization based in Fort Meade, Maryland that does this research in signals gathering and code breaking, called the NSA. While long ago this used to jokingly called No Such Agency, today it is simply known as the National Security Agency.

An Impressive Attack

With the Flame virus, the successor to the Stuxnet virus, a very interesting thing happened. The virus posed as a Windows update to be installed, and contained a rogue Microsoft certificate authority. To create this, the virus' creators had to mount a successful attack on the venerable MD5 hash algorithm. This attack allowed them to generate a collision, a file that generates the same hash code as the original plain text.

Such an attack is somewhat time-consuming, and depends upon generating a prefix (called a chosen prefix) that two files have in common. Then the rest of the two files (their suffixes) are adjusted so that they generate the same hash code. This is only part of the attack. Then it becomes clear that, to forge a certificate authority, it is necessary to guess the prefix of the certificate (which Microsoft has probably made it easy to do by generating them in sequential order) and then it is just a matter of having the right amount of computer time to perform a suffix search.

This could be months of computer time, or years, depending on how sophisticated the suffix-generation algorithm is.

This sounds like a world-class attack, not really possible without the resources of a nation state. In the case of Flame, this nation state is the United States. And thus it is highly likely that the NSA has something to do with Flame.

When I heard this, actually I was thinking way to go US. Why? Because I was tired of hearing of all the cyberwar attacks from China and Russia. I was tired of thinking that we were way behind in the US. It looks like both Stuxnet and Flame were the joint product of the US and Israel. If we are on the attack, then we are also on the defensive and that's a good thing.

But there is an inherent danger in the technology of Stuxnet and Flame: it becomes public.

One of the main techniques of the individual hacker, as I mentioned before, is the modification of an existing virus to create a new one. This has already been done with Stuxnet, and soon with Flame. This will cause a serious acceleration of hackers' capabilities. Even in other nation-states.

In particular, it is possible that MD5 is now completely insecure, which will be a real problem for business.

Of course, the other possibility was that Microsoft actually helped the agency responsible for this hack. And actually, I think it may be even more likely that this is true than it might possibly be true that a serious breach of MD5 has occurred. Hmm.

Which one it is remains to be seen.

And you thought that was the interesting part? Well, there are plenty of interesting parts to the Flame virus. In particular, its goals.


This Flame virus (also known as Skywiper) is intended to infect machines in Iran and gather intelligence. Which it does by hijacking Windows 7 server. And it did this by forging the authority certificate so it could masquerade as a certified Microsoft update to Windows 7 server. Flame has been in the wild since October 2010.

How It Functions

This impressive virus, contained in an executable called Flamer.A commandeers machines on the network and installs various modules for intelligence gathering. They are organized into at least 39 modules, many of them written in LUA. Another incredible analysis of Flamer.A. The known and understood modules are listed below. It makes interesting reading for any student of computer security.


This creates the autorun.inf file. This spoofs sutorun.ini, which causes an insertable medium to automatically run. This is commonly used in installers to make it totally automatic.


This component uses a bluetooth card, if one exists, in the infected machine to discover any bluetooth devices like phones and other gadgets. Turns the computer into a discoverable bluetooth device so other devices will interact with it.


Compiles a list of files that appear to be of interest to Flame's creators. This module leaks whole files, like CAD (.dwg) and pictures (.jpg).


This is a configuration module, and it contains the list of modules that can be run on this particular infected computer.


This module extracts local information from the computer that profiles it and its user. Stuff like the names and serial numbers of the volumes, the name of the computer, a list of applications installed, open TCP/IP connections, DNS servers used, files and history from Internet Explorer, contact lists, and even whether the user has a mobile phone. The data is assembled and encrypted using RC4 and also an additional base64 algorithm of unspecified nature. The product data is sent over HTTP in a compressed form.


Looks for documents with extensions like .doc, .docx, .xls, .ppt, etc. and assembles and encrypts them for delivery.


This creates a special desktop.ini and target.lnk file, useful as a clever way of launching Flame automatically when the machine starts up.


This component actively infects computers within the local network. It uses backdoor accounts named "HelpAssistant", created by Limbo.


This component is the one that acts like a legal Windows update server.


This component connects with the command and control server. In other words, it reports back to its masters. It sends all the collected data back. The data is stored in a database named StorageProducts. The product is the leaked data, of course. In Flame's sophisticated approach, data is graded by desirability. Documents (collected by Jimmy) have highest desirability, CAD drawing files are in the middle, and JPEG files (collected by Boost) are at the bottom. If the database gets filled with leaked pictures, they will get thrown out and replaced by more valuable documents.

In restricted networks, a clever technique is used. When the virus spreads, a message is kept which indicates which computers can connect with the command and control server. The data transmission then happens via USB sticks, which get infected by the Euphoria component. When a computer sees a USB thumb drive, and it can connect with the command and control server, then it reads and sends the data collected on the restricted network computer.

All server communication is done in encrypted form so it can't be detected easily.

In an amazing twist, this module can also download new modules from the command and control server, which keeps the virus current, particularly when new threats are noticed or when bugs have been found and fixed.


This module contains a configuration that customizes the particular personality of the attack against the infected computer and its network.


This component decides which is the best method for infecting media, such as USB thumb drives, with Flame for the purposes of propagation. This includes the possibility of using the Autorun mechanism, or the Euphoria mechanism. Also, the stolen data (the contents of a StorageProducts database) that is stored on the USB drive is in a file called dot ("."). This particular name looks like the current directory to Windows and this simple trick ensures that it can't be opened or displayed!


This creates new accounts in the other machines in the network with the innocuous name "HelpAssistant" if possible and if the right privileges are available to the module. These become backdoors.


This component records audio from built-in microphones. It examines all the multimedia devices and selects the appropriate recording device.


This component provides the binary certificate of a Windows server. An HTTP server which responds to /view.php and /wpad.dat (Web Proxy Autodiscovery) requests. So this basically helps to fool the DNS search for a Windows update server.

Rear Window

This is a spying component.

Many spying capabilities have been detected in Flame. For example, it installed keystroke recording malware, took pictures with the computers' webcams, accessed machines' microphones to intercept Skype conversations, make screen captures, and it even used Bluetooth to access local cellphones and extract contacts!


This module detects processes and programs that might be harmful to Flame. This is used to pause Flame when the processes are around, to avoid detection of things like a wholesale directory search.


This module pays close attention to the network traffic. It logs NetBIOS Name Service (NBNS) packets, which helps the virus to determine which computers can be spread to. Sometimes this module only runs when Munch is run.


This contains all the scanning modules. Network scanning, file system scanning, multimedia device scanning, etc.


This component removes the virus from the infected computer when the command and control server gives the word. Flame maintains a stealthy profile by cleaning up after itself.


This is the keystroke logging component.


This contains all the ability to replicate the virus. Copying the files, packaging them into an auto-installing file, etc. The ability to change filename and extension of each transported file is a clever part of this module.


This module prepares a list of all the files on the infected computer. It is careful to pause whenever a process runs that might be looking for a suspicious search of the entire computer's file system, as determined by Security.


  1. Hi Mark, I just wanted to coin in here and mention how amazing your blog is. You have so much insight into such diverse and interesting topics (I was originally drawn here by your posts on Painter), it's been a true pleasure stop by from time to time. Keep up the great work!

    1. Thanks! I try to keep my standards high. Right now, I'm working on another post with lots of illustrations. These posts take me a bit of time, you see. But a lot of the time has also been taken up by my summer vacation. Just got back and now work is slightly overwhelming.

      I'm certainly glad you found my post on Flame interesting. I like to observe the hacking chronicles and read between the lines. I think the world of hacking and cybersecurity is coming to a crisis. Perhaps it's headed for a William Gibson-like dystopia. But that would not be a good thing.

      It's because people love to hack and attack and do it all "for the lulz" that walled gardens are looking better and better all the time. In order for the world to go on and people to get stuff done, we need security to be better than it seems to be.

      Paint on!