In 2010, the world stopped spinning for a moment, as evidence of a highly complex piece of malware hitting a nuclear research facility in Iran started to emerge. Two years later, the discovery of another e-threat shows that the team behind Stuxnet and Duqu had another offspring that was even more complex and persistent.
The e-threat – dubbed Trojan.Flamer.A – was also isolated in Iran earlier in May. Preliminary analysis revealed it has been wreaking havoc since October 2010, and even if some of its components were detected when Stuxnet was discovered, the AV industry couldn’t see how deep the operation ran.
The Flamer.A Trojan, also known as Skywiper, goes well beyond what a regular Trojan would do to collect data. Flamer can steal data, copy passwords, record voice conversations, create screen captures, and even probe Bluetooth devices that are in the range of the Bluetooth card of the infected computer. It is not your average piece of malware that sells for $100 on underground forums: it was built using a variety of technologies ranging from LUA scripts to assembly code.
Unlike Stuxnet (and just like Duqu), Flamer.A is a data thief. It is highly optimized to siphon data, and not to attack industrial processes. At least this is its current focus. If the computer infected is connected to the web, the Trojan connects to its command and control servers and siphons files and other data. To minimize the risk of getting caught red-handed, the Trojan establishes an encrypted connection with the server and sends everything in encrypted form. Even if system administrators were inspecting the network traffic, they would not realize that precious data is being leaked outside.
If the system is not connected to the internet (such in the case of government agencies, power plants or other critical services), the Trojan dumps data on flash drives connected to the PC, but it makes sure to first conceal it from the user.
To hide the data it saves on the USB drive, it creates a file called “.” (dot). Because of its name, which is not allowed in Windows, the operating system will not be able to either open it or display it to the user, eliminating the chance of being detected. It is assumed that, once the flash drive is plugged into a computer connected to the Web, a component of the Trojan would send the contents of the “dot” file to the attackers.
Flamer is the scariest cyber espionage tool we’ve yet seen. It goes places where other spyware doesn’t go, retrieves information others don’t retrieve, and ensures the infected computer has no privacy whatsoever. This is why Bitdefender developed a fully automated removal tool that scans the PC and disinfects it if any sign of infection is found. To read technical details of Flamer and download the removal tool, visit http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/