Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet.
Security researchers said Tuesday they have come across a new strain of espionage malware that has successfully infected 800 different organizations this year in the Middle East to steal information and spy on communications.
Here's a question: if you connect an unprotected Windows computer to the internet, how long will it take before it is infected by malicious software?
The Flame cyber-attack that targeted computers across the Middle East has been linked to the Stuxnet worm, which is believed to have been orchestrated by the US and Israel to attack Iranian nuclear centres.
Speaking at the Reuters Global Media and Technology Summit on 11 June, Eugene Kaspersky, chief executive of the Russian security firm that bears his name and which discovered the Flame virus in May, said his team of researchers have found that Flame shares an almost identical piece of code with a 2009 version of Stuxnet.
The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, says security researcher Alexander Sotirov.
In December 2008, at the Chaos Communication Congress (CCC) in Berlin, an international team of security researchers that included Sotirov presented a practical MD5 collision attack that allowed them to obtain a rogue CA certificate signed by VeriSign-owned RapidSSL.
The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said.
"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications."
With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:
Attackers behind espionage software that infected Iranian computers targeted hard-to-exploit weaknesses in a cryptographic algorithm, a feat that allowed them to counterfeit a Microsoft digital credential, a member of the company's security team said.
The Flame "super-malware" must have been infecting computers for as long as four years and was less invisible to antivirus software than assumed, an analysis by security company AlienVault has concluded.
On the face of its AlienVault's analysis is just another forensic guess after peering at the important mssecmgr.ocx Win32 PE (portable executable) file, which 'exports' a clutch of progamming functions. As pulled apart by the Hungarian CrySys Lab, this contains debug entries suggesting a 2011 creation date.
