Last week, it was announced that one of the creators of BlackShades NET Remote Access Trojan was arrested along with 23 others in an international assault against cybercrime. As you recall from previous blogs posted on Unpacked, we have given you, the reader, an in-depth look into what kind of dangers are presented by the capabilities of this malware. We have also discussed a very serious situation concerning the use of this tool in political conflicts in Syria and consequently the dawning of the age of malware being used in warfare.
As reported by the Electronic Frontier Foundation (EFF) earlier this week, a new Trojan is being spread to Syrian activists in an attempt to employ electronic surveillance on the group and its members. This Trojan is none other than the BlackShades RAT I blogged about last week as Part 2 of a series on different RATs found in the wild. As it turns out the first blog post on DarkComet has also been used against the activists in the past.
Syria is currently undergoing a very serious and bloody internal war between the government and the opposition forces or activists who want to see the tyranny and injustice shown by the country’s top leaders come to an end. I cannot speak about it in detail but can only refer you to this video by CNN which explains everything very well up to now:
Beyond attempting to squash opposition on the ground with the use of tanks and guns, attempts have been made to do the same thing in the cyber arena, by pitting people against each other and destroying communication, at the same time collecting vital information on the communications of the activists. In order to accomplish this, three types of Remote Access Trojans/Tools have been used against the activists with various methods of infection.
The flame malware has been referred to by some as “The most sophisticated malware to date” and while it is quite an impressive piece of espionage spyware, it poses little threat to the common user. In this blog post I am going to go over a quick summary of the technical capabilities of the Flame malware, just for anyone who hasn’t already read all the blogs and news articles that have been circulating around the net for the past week. Then I am going to give a quick comparison of its capabilities to that of Stuxnet and Duqu, after which telling you why they are nothing alike. Then tell you about the real threats when it comes to similar malware that is circulating around the net right now that you might not know much about. I will finish it all up with some words of comfort and tell you why you shouldn’t be afraid to surf the net.
Flame Technical Summary
As stated previously, Flame is an impressive malware kit; it is very powerful and pretty unique in the way that it performs some of its operations. First of all, some back-story:
Flame was found by Kaspersky while they were helping out the International Telecommunication Union (ITU) to track down some malware that was wiping out the file systems of computers in Iran, well they didn’t find the exact malware which they were looking for but they found Flame instead. In the same general time frame, CrySyS labs was asked to join an international effort to analyze an as of yet unknown piece of malware, they called it sKyWIper. Not long after, Kaspersky and CrySyS realized they were working on the same file. Kaspersky researchers discovered that not only was Flame present in Iran but also in the surrounding countries. The malware was found on systems belonging to academic institutions, private companies and specific individuals. Kaspersky believes that Flame might have been in use since March of 2010, which was the same time that Stuxnet was first discovered.