The recent discovery of the Flame malware exploit – with its command and control server displaying the classic trademark of exportation and importation of data and intellectual property over covert channels from compromised hosts – has raised the stakes of data security exponentially.
There are two dimensions to the investigation and interpretation of this highly sophisticated malware, an exploit that follows in the wake of Stuxnet and Duqu.
Firstly, Flame demonstrates that malware has now evolved to present a true and present danger, representing the full evolution of malware from the early days of script kiddies to the intermediate stage of monetising cyber criminality, to the current and most sophisticated and potentially deadly, state-sponsored cyber warfare.
Here we observe sophistication of code that can only have been developed through financing and substantially resourcing highly sophisticated and capable developers with extensive knowledge of developing code for industrialised control systems (Scada). The potential for gain is enormous from a state perspective, through achieving financial, political or terrorist ambitions.
But equally and reciprocally, the release of such malware may effect an uncalculated, self-inflicted attack on the perpetrator themselves. The risk is unequalled and unparalleled today. Unknown.
Secondly, the distinction of this malware and its obvious sophistication is readily observed. The full decompilation of the code is still under construction and not all aspects of the malware are yet fully understood.
Nefarious attributes are many. For example it is hidden in an encrypted flow, making interrogation difficult. Using port 443 – which, apart from port 80, represents the second most universally open port – facilitates covert entry.
The Flame malware uses LUA scripting language most professional developers use to develop high-level code logic in their software. This suggests further evidence to support the view that there is investment over and above what may be considered normal in developing more generalised everyday malware, (if there is such a thing!). Flame also has the ability to use SQL Lite, another pointer to professional developer code authorship.
We should also consider that many of the industrialised platforms that Flame targets have an effective air gap around them, proof that innocent portable thumb drives and the like, physically carried into quarantined areas, are not so benign. This proves strict security policies are as important as the technology deployed as defence.
Equally, no longer can security be considered as reliant upon point solutions, but must be fully integrated as a homogeneous security element. This must be woven through any system, with the ability to detect through a multiplicity of approaches; signatures are no longer enough, however sophisticated.
We enter a new era. Never before has IT security and defence been more important.
Steve Maslin is a security consultant at Cisco Systems
This was first published in September 2012