On May 28, Kaspersky published the Flame malware announcement. The announcement highlighted Kaspersky’s research work for the UN that discovered “new advanced cyber-threat.” A Los Angeles Times story headlined “Russian computer experts who detected Flame malware issue warning,” giving Kaspersky center stage to hype the Flame malware:
“We entered a dark room in search of something and came out with something else in our hands, something different, something huge and sinister,” Vitaly Kamlyuk, a senior antivirus expert at Kaspersky Lab, said in an interview Wednesday.
The London Telegraph ran a story, “Flame virus most powerful espionage tool ever, UN warns” which gave the UN its chance to make statements about the Flame malware like this:
“This is the most serious warning we have ever put out,” said Marco Obiso, cyber security coordinator for the UN’s Geneva-based International Telecommunications Union.
and from the same article, the Flame malware is also, apparently, like a bomb:
“Orla Cox, a security analyst at the security firm Symantec, said that Flame was targeting specific individuals, apparently Iranian related. ‘The way it has been developed is unlike anything we’ve seen before,’ she said. ‘It’s huge. It’s like using an atomic weapon to crack a nut.’
Dang! That sounds scary. Fortunately the hype flamed out within a week and cooler analysis began to prevail. John Leydon over at The Register went so far as to call the Flame malware “bloatware“. You can judge for yourself about how Big A Deal the Flame malware is by reading the two authoritative sources on technical information. The first is Alex Gostev’s Q&A at securelist.com. The second is CrySys Lab report which uses the malware’s original name, “SkyWiper.”
Hype or not, from an IT security perspective the Flame malware has been handled by the antivirus industry. IBM’s X-Force Research Center gave the malware its lowest severity rating and noted:
“At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.”
Flame malware and the Leaky Abstraction strategy
What interests me the most about the Flame malware are the multiple reports that it is a targeted attack. Best I can tell, there is no intelligence or heuristic in the Flame malware itself that targets machines. Instead, the Flame malware spies on the computer and sends data back to a set of command and control servers. The Flame malware then waits for more instructions. One of the commands that can be sent to the infected machine is a kill module that causes the Flame malware to completely remove itself from the system. This allows the controllers to hone in on more interesting victims.
Put yourself in the shoes of the people at the Flame malware command and control center. Every additional machine that gets infected is an additional risk that the Flame malware will be discovered. Also, the more “interesting” a target machine is, the more closely it is likely to be monitored and inspected for malware. The risk of being detected increases the more interesting the target machine is. Given those two fundamental facts, what would be your strategy for gathering as much useful espionage data from the Flame malware?
My strategy would be to exploit the rule of Leaky Abstraction. I would find the machines, and people, that have access to sensitive information even though they are not supposed to. Access control is insanely difficult to get right. Just ask anyone who’s ever been asked to create a model of all the roles in an organization. We like to think that we can define a clean well-defined set of roles. People are either in the role or not. They either have the capabilities of the roles or they don’t.
In the real-world, there are always exceptions. There’s always this one guy who doesn’t need to be put in the role, but he needs just this one capability normally reserved for that role. So somebody makes an exception for him in an access control system some place. This is the leak in the abstraction of the role. Next thing you know, the number of these abstraction leaks dwarfs number of actual role-based access control rules.
These abstraction leak people are the ones whose machines may not be watched as carefully. These are the same people who might be using machines for both personal and business purpose or compromise their machines in other ways.
Turning the scenario around, as the data center security manager, what would be a good strategy for detecting and discovering Flame malware or some similar espionage tool? I haven’t seen any technical description of how the Flame malware sent captured data to its command and control centers. But you have to figure it’s done in such away that your average content inspection system can’t make heads or tails of it.
My gut reaction to this scenario is to compare patterns of connections against a baseline captured over time. Why did Alice’s machine connect to a server 5 times last month to a server it had never before connected to in the past year? And why did Bob’s machine connect to it 5 times the month before that?
That’s a tough job, requires huge amounts of base line data and a fairly high tolerance for false positives because you have to assume the attacker is going to try to blend the malware’s activity pattern into the background noise. Tools like QRadar Network Activity Monitor seem to be the best way to detect and plug those leaky abstractions that seem to be so vital to getting things done in a typical IT environment.
What’s Your Strategy?
If you were running the Command and Control center for the Flame malware, what would be your strategy for deciding which machines to infect and which machines to remove the malware from? Then put on your data center security manager hat as ask yourself, how would I defend against that attack strategy? I’d like to hear your ideas in the comments.