As part of the on-going investigation into the Flame malware saga, some reports have suggested that software giant Microsoft may have been infiltrated by undercover agents from the CIA and NSA. (1)(2)
Mikko Hypponen, the chief research officer at security firm F-Secure claimed it is a logical conclusion to make following the discovery that the malware used confidential Microsoft certificates in order to infect and access machines.
The Flame “toolkit” is a very large and complex piece of software that was targeted against specific networks in the Middle East. It is thought over 1000 computers have been infected with the malware, with the vast majority of these being in Iran.
The software had been operating completely undetected since 2010, and its capabilities read like they have been taken right out of a spy thriller.
The Capabilities of Flame
Like most malware, Flame is equipped with a keylogger to capture everything that is written on the target machine and a screen grabber to capture screen shots when high value programs such as email and instant messenger programs are opened.
The Flame arsenal also includes a tool that searches both local and network drives for documents and PDF files, with a filter component to extract excerpts from everything it finds in order to enable the malware operators to only target the really interesting material.
In addition to these programs, which can be found in thousands of other malware trojans on the Internet, are several modules that are not so run of the mill.
One program can turn on the computer’s internal microphone in order to record any conversations that are taking place in the vicinity, saving these as audio files which are then sent to the malware operators.
Another searches the infected computer and the network for images that have been taken with digital cameras in order to extract the GPS coordinates from them and yet another module searches for paired Bluetooth mobile phones in order to steal their address books.
All of this collected information is then encrypted before being sent on to its untraceable destination. The software can even extract information from machines that aren’t connected to a network, by utilizing external USB drives and adapters that have been used in infected computers. (3)
Undetected for Almost Two Years
By far the most impressive feat however, is exactly how the malware managed to remain undetected for so long. Fully patched and updated windows computers, many with the latest antivirus programs and definitions, all failed to spot this huge collection of malware that was up to no good on all of these machines.
Flame got past the usual detection methods by creating a local proxy server which intercepted network traffic meant for Microsoft Update. Normally, this type of “man in the middle” attack would be impossible to pull off, because servers of this type require Microsoft security certificates in order to verify the identity of the computer in question.
The Flame developers used a hitherto unknown exploit in Terminal Services Licensing in order to repurpose security certificates, thus appearing to other computers as the genuine article.
Newer versions of the Windows operating system were not susceptible to this kind of attack, so in order to appear genuine to these machines, Flame used cutting edge cryptographic research and required processing power only found in state of the art supercomputers. (4)
Flame Linked to Stuxnet
Security researchers have conclusively linked Flame to the “Stuxnet” superworm that targeted Iran’s nuclear centrifuges in 2009 and early 2010. According to reports by The New York Times and The Washington Post, Stuxnet was a joint effort by the National Security Agency, the CIA and the Israeli military against Iran’s nuclear infrastructure. 5. 6.
Given the link between the two malware packages and the enormous complexity and resources required of the Flame software, it is almost beyond doubt that US and Israeli agents are also behind this latest attack.
In conclusion it does seem likely that the NSA and CIA have moles in high places, including at Microsoft. However, for an operation such as this to be a success, it would be far more prudent for the NSA and CIA to have moles in the antivirus and security companies. After all, they are supposed to be keeping us safe from attacks like these in the first place!