Analyst: Flame Devs Used FOSS to Help Them Hide
Sep 17, 2012 12:25 PM PT
The researchers say work on the Flame C&C platform began in 2006, earlier than previously believed, and that the platform is still under development.
They have found a new, as-yet unimplemented protocol, called the "Red Protocol," on the C&C servers.
"The use of open source software can serve to help hide code in plain sight," Randy Abrams, a research director at NSS Labs, told TechNewsWorld.
Custom code "is far easier to algorithmically identify," while open source code "hampers the ability to attribute the style of coding to a programmer or group," Abrams continued.
New Discoveries About Flame
The control panel code for the C&C servers was discovered in "newsforyou/CP/CP.php," Kaspersky Lab reported.
In addition to PHP, the Flame developers used Python and bash, Kaspersky Lab discovered. One server image obtained by Kaspersky was a typical LAMP setup (Linux, Apache, MySQL PHP). It was used to host the control panel and run some automated scripts in the background.
"Newsforyou" processes the Flame client interactions and provides a simple control panel that lets the attackers upload and download code to and from infected computers, Symantec reported. It contains functionality that lets it communicate with computers compromised with different types of malware using different protocols.
The Art of Misdirection
Flame's control panel looked like a very early alpha version of a botnet C&C control panel, Kaspersky Lab said. This gave rise to the initial belief that the malware was put together by amateurs.
However, the researchers now realize the attackers deliberately chose this interface. Instead of using professional dev terms such as "bot," "botnet," "infection" or similar terms in the control panel, Flame's creators used common words such as "data," "upload," "download," "news," and "blog," in what Kaspersky believes was a deliberate attempt to deceive anyone running an unexpected check on the software.
However, a coding error let researchers retrieve a file containing the history of the C&C servers' setup and the nicknames of four devs who had worked on the code.
The Curse of Openness
"In some cases, using open source software might simply indicate a lack of expertise in creating what is required from scratch," Vikram Thakur, principal security response manager at Symantec, told TechNewsWorld. "However, in other instances using open source software might very well be done to make it more difficult to attribute specific code to a specific person. Thus, another reason for using open source software is indeed evasion."
Further, Flamer "was so large because of the included open source elements that to some it gave the appearance of non-malicious program," Thakur stated. This "could certainly have been part of the attackers' plans to fly under the radar."
The very nature of open source means the community is helpless to prevent its use by hackers.
"The community does take action to review and police updates to the source code, but, as for the use of open source in personal projects, there is no policing, as that would be counter to the purpose," Frank Artes, a research director at NSS Labs, told TechNewsWorld.
Family Ties to Stuxnet, Duqu
"We saw a lot of custom code in Stuxnet and Duqu, which are related threats," Symantec's Thakur said. "This leads us to believe that, while [it's] related to the other two threats, [Flame] was coded by a completely independent group, possibly just contracted for this specific job."
The US and Israel created Flame to slow Iran's nuclear efforts, according to the Washington Post.
If true, that might explain why the US government, at least, has not enlisted the help of security companies instead of keeping them outside the loop.
"I have neither a prescription for, nor a source of, the drugs required for that level of speculation," NSS Labs' Abrams said. "There will always be government projects that outside companies are not asked to participate in because of the need to vet participants and to keep knowledge contained."