Flame's Bluetooth functionality could help spies extract data locally, researchers say
Attackers could pinpoint the physical location of infected computers using Flame's Bluetooth functionality
IDG News Service - The Bluetooth functionality of the Flame cyberespionage malware could potentially be used to pinpoint the physical location of infected devices and allow local attackers to extract data if they get in close proximity to the victims, according to security researchers from antivirus vendors Symantec and Kaspersky Lab.
Flame can leverage an infected computer's Bluetooth capability, to scan for other nearby Bluetooth-enabled devices like mobile phones, Kaspersky Lab researchers said in their initial Flame report published on Monday.
This functionality is present in a Flame module called BeetleJuice, security researchers from Symantec said in a blog post on Thursday. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point."
This information could be used to determine the social and professional circles of victims over time by looking at what Bluetooth devices their computers detect on a regular basis, the Symantec researchers said.
Flame-infected computers can also act as Bluetooth beacons, allowing other Bluetooth devices to discover them. When acting as beacons, the infected computers indicate that they have the Flame malware installed on them through a special description field.
This feature could potentially help local attackers physically locate Flame-infected computers inside a building in order to directly extract information from them if, for some reason, that information cannot be obtained over the network, Vitaly Kamluk, chief malware expert at Kaspersky Lab, said on Tuesday.
There might even be a Flame feature that allows such data extraction to occur over Bluetooth, but no technical evidence of this functionality has been found yet, Kamluk said. Such an attack would have the benefit of bypassing any network-level firewalls and security controls, the Symantec researchers said.
"It is possible that there is undiscovered code within W32.Flamer which already achieves some of these goals," the Symantec researchers said. "For example, although we have not found network code near the 'beacon' code, one compromised computer may connect to another computer using Bluetooth."
Most security researchers agree that Flame was likely created by a nation state for espionage purposes and that its primary targets were organizations and individuals from Iran and other countries in the Middle East.
If that theory is correct, it would be fairly reasonable to assume that such a nation state could also have intelligence assets or operatives in those regions, who could get physically close to the victims in order to interact with their Flame-infected laptops via Bluetooth.
There are precedents for nation states' involvement in malware attacks on Middle East countries. A report in The New York Times Friday said that U.S. President Barack Obama ordered the Stuxnet cyberattacks on Iran in order to damage the country's nuclear program.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- The Growing Demand for Rich Media This white paper discusses how IBM Customer Experience Suite Rich Media Edition can automate rich media workflows, from collaborating with creative agencies and...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Topic Center White Papers | Webcasts