Please enable Javascript to use Top Secret Writers to it's fullest. Without it, you will find much of the modern internet doesn't work. I would add a little button hide this message, but that kind of functionality requires Javascript ;)

The Amazing Story of Cold War Spy Oleg PenkovskyPrevious Article
Newly Released CIA Documents Show 9-11 Warnings Before AttackNext Article

The Flame Virus – Have the CIA and NSA Infiltrated Microsoft?

Line Spacing+- AFont Size+- Print This Article

nsa microsoft

As part of the on-going investigation into the Flame malware saga, some reports have suggested that software giant Microsoft may have been infiltrated by undercover agents from the CIA and NSA. (1)(2)

Mikko Hypponen, the chief research officer at security firm F-Secure claimed it is a logical conclusion to make following the discovery that the malware used confidential Microsoft certificates in order to infect and access machines.

The Flame “toolkit” is a very large and complex piece of software that was targeted against specific networks in the Middle East. It is thought over 1000 computers have been infected with the malware, with the vast majority of these being in Iran.

The software had been operating completely undetected since 2010, and its capabilities read like they have been taken right out of a spy thriller.




The Capabilities of Flame

Like most malware, Flame is equipped with a keylogger to capture everything that is written on the target machine and a screen grabber to capture screen shots when high value programs such as email and instant messenger programs are opened.

The Flame arsenal also includes a tool that searches both local and network drives for documents and PDF files, with a filter component to extract excerpts from everything it finds in order to enable the malware operators to only target the really interesting material.

In addition to these programs, which can be found in thousands of other malware trojans on the Internet, are several modules that are not so run of the mill.

One program can turn on the computer’s internal microphone in order to record any conversations that are taking place in the vicinity, saving these as audio files which are then sent to the malware operators.

Another searches the infected computer and the network for images that have been taken with digital cameras in order to extract the GPS coordinates from them and yet another module searches for paired Bluetooth mobile phones in order to steal their address books.

All of this collected information is then encrypted before being sent on to its untraceable destination. The software can even extract information from machines that aren’t connected to a network, by utilizing external USB drives and adapters that have been used in infected computers. (3)

flame virus

Undetected for Almost Two Years

By far the most impressive feat however, is exactly how the malware managed to remain undetected for so long. Fully patched and updated windows computers, many with the latest antivirus programs and definitions, all failed to spot this huge collection of malware that was up to no good on all of these machines.

Flame got past the usual detection methods by creating a local proxy server which intercepted network traffic meant for Microsoft Update. Normally, this type of “man in the middle” attack would be impossible to pull off, because servers of this type require Microsoft security certificates in order to verify the identity of the computer in question.

The Flame developers used a hitherto unknown exploit in Terminal Services Licensing in order to repurpose security certificates, thus appearing to other computers as the genuine article.

Newer versions of the Windows operating system were not susceptible to this kind of attack, so in order to appear genuine to these machines, Flame used cutting edge cryptographic research and required processing power only found in state of the art supercomputers. (4)

flame virus

Flame Linked to Stuxnet

Security researchers have conclusively linked Flame to the “Stuxnet” superworm that targeted Iran’s nuclear centrifuges in 2009 and early 2010. According to reports by The New York Times and The Washington Post, Stuxnet was a joint effort by the National Security Agency, the CIA and the Israeli military against Iran’s nuclear infrastructure. 5. 6.

Given the link between the two malware packages and the enormous complexity and resources required of the Flame software, it is almost beyond doubt that US and Israeli agents are also behind this latest attack.

In conclusion it does seem likely that the NSA and CIA have moles in high places, including at Microsoft. However, for an operation such as this to be a success, it would be far more prudent for the NSA and CIA to have moles in the antivirus and security companies. After all, they are supposed to be keeping us safe from attacks like these in the first place!


References & Image Credits:
(1) PC Pro
(2) Twitter
(3) F-Secure
(4) Trail of Bits
(5) NY Times
(6) Washington Post
(7) sxc.hu
(8) NY Times

Originally published on TopSecretWriters.com

  • Someone

    as it was shown later, the attack made use of a MD5 collision, so there was no need to get the original certificate to sign code. however, guess who is one of MS’s biggest customers in the US. 😉

  • noooo

    If you use “tcpview” from microsoft, a moderately knowledgeable person can see unusual internet connections. Also, a behavior blocker or more technical HIPS (host intrusion protection system) can also alert to suspicious connections and activity. All this is freely available. The writer writes as if it is still 1988 and all there is is signature based anti-malware, not even heuristics. If all this is true, then, it means the Iranian technicians are duds.

“The thing about the truth is, not a lot of people can handle it.” -Conor McGregor

BECOME A PATREON SUPPORTER and decide what stories we investigate!

Donate to Support TSW!





Top Secret Editors

Ryan is the founder of Top Secret Writers. He is an IT analyst, blogger, journalist, and a researcher for the truth behind strange stories.
 
Lori is TSW's editor. Freelance writer and editor for over 17 years, she loves to read and loves fringe science and conspiracy theory.

Top Secret Writers

Gabrielle is a journalist who finds strange stories the media misses, and enlightens readers about news they never knew existed.
Sally is TSW’s health/environmental expert. As a blogger/organic gardener, she’s investigates critical environmental issues.
Mark Dorr grew up the son of a treasure hunter. His experiences led to working internationally in some surprising situations!
Mark R. Whittington, from Houston, Texas, frequently writes on space, science, political commentary and political culture.

Join Other Conspiracy Theory Researchers on Facebook!

Get a Top Secret Bumper Sticker!

Comment on Breaking Stories

Powered by Disqus