Today brings the news of a malware attack focused on the middle east and Iran. Two sets of researchers announced their findings today and many antivirus companies announced they now detect it. Not that the infection rate was so high as we now understand it (but more on that later) with infections topping out at one or two thousand. I have been researching using Sophos, Wired, BBC and others. (Securelist link below.)
So why do we care? Because this was a very targeted attack that probably was launched at the same time as Stuxnet, probably in co-ordination with stuxnet but probably by a different team of programmers. This is huge compared to stuxnet which was huge for malware. This also doesn’t do the same thing as stuxnet, there doesn’t seem to be a control system aspect to this one, it is looking at different stuff altogether. Stuxnet wanted systems that ran a specific type of process control system and attacked that system. Duqu was the one to find information and steal documents, and while this one has this capability too lets look at its other capabilities. This is looking for peoples names, contact lists, emails and who they are talking to. It also looks at nearby phones with bluetooth if it can and tries to identify the phones and so people close to the computer.
This brings us to why this malware and why where it is found. This is one possible scenario of dozens, probably the least likely but most dramatic. (You wanted dramatic right and I’m paranoid so?)
OK someone is looking for contacts and being very specific where they try to infect. They are trying to find specific people and the people they may be in contact with. Identify the group of users this infected system is close to and not just logging who, but when. Yes it is logging who is close to this computer, when. And then some other computer, same people. IF I am tracking specific people I can now build up a pattern of their movements and see who they are in contact with and build a tree of people to decide who to infect next.
If I am interested in Iran this can probably only be over one thing, Iran and it’s use of nuclear, I think the smoke screen Iran is trying to put up about an oil depot is just that a smoke screen, much like they tried to say the Stuxnet was not a threat and didn’t do any damage. So either this is building evidence of what Iran is doing with nuclear or who is doing nuclear for Iran. If I was trying to gather evidence of nuclear for proliferation purposes (bombs) what I would be looking for is documents and drawings not address books and listening to conversations, snapping pictures of who is in front of the computer, looking at who people are contacting and trying to identify phones close to me. SO they are not interested in what people are doing but who is doing it and where they might be at some point in the future so they could find them if I need to?
You are a scientist, with a new phone and it has Bluetooth so you get one of those ear pieces. So now your phone is broadcasting to everyone, you are here. Range 10m or so. So now the guy at the other end of the lab has his laptop infected, it has Bluetooth and it has now been turned on. Every time you go past him the computer knows you are there and when. And you stop at that little cafe for a beverage every morning on your way to work. The computer on the table with a guy you know is also infected, and records your voice every morning saying hello. The computer of a colleague has a camera and records your picture looking over his shoulder and cross references your picture with your phone.
Now the computer in the guard shack is infected to so every time you come to and leave work is also recorded. Also your phone has wifi, every laptop also has wifi and can detect any system with wifi within 30 to 200m. Yes you could be broadcasting your location at that much range. How about the computer at your place of worship? Your grocery store, anywhere you go regularly, if the malware controller can figure out where you go and find a way to infect them then you are being tracked there as well.
Your computer is infected and your work is there describing what you do. You are writing stuff that indicates that they need your input to make this next step in the process work, that without you the project is set back weeks or months. Your boss has just told you, you have to postpone your vacation because this needs to be done in the next month or so, you are the key piece of this work.
Yeah that could all be found and tracked by what we know this malware can do now and we have only started to do the analysis. This would also be augmented by boots on the ground verification of the data but yeah this would work.
- ‘Flame’ espionage malware has infected computers across the Middle East (wired.co.uk)
- Sophos Flame Malware (nakedsecurity.sophos.com)
- The Flame: Questions and Answers (securelist.com)