Flame stashes secrets in USB drives

While viruses have spread on removable storage for decades, the Flame attack takes it to a whole new level

Since the primordial days of data tapes and floppy disks, viruses have used removable storage to spread between computers or, more correctly, have used computers to spread between storage media.

The Flame attack, however, takes the infection of removable media to another level.

In an ongoing analysis of the attack, security firm BitDefender has pinpointed a component of Flame that uses removable media as a carrier to sneak data out of secure installations. On computers not connected to the Internet -- a potential sign that the system is part of a sensitive, "airgapped" network -- Flame waits until a USB drive is inserted. Then it copies not only itself, but a prioritized list of stolen data as well.

While rogue employees have frequently snuck sensitive data out using removable media, this may be the first time that malware uses unsuspecting workers as "information mules," says Bogdan Botezatu, senior threat analyst with Romanian security firm BitDefender.

"This scenario is amazing, we haven't seen anything like this before," he says. "The USB drive is not so much an infection vector as an information mule. It is mostly used as a storage device as host data taken from protected environment."

The term "mule" is borrowed from the drug trade: People who carry illegal substances across borders are frequently referred to as mules. In the cyber criminal world, people who unknowingly, or by design, use stolen credentials to steal cash, then send it back to the criminal boss are considered mules as well.

In the case of Flame, the authors expected they'd need to get information out of secure computers that may not have connections to the Internet, says Botezatu. "As this piece of malware has been designed to spy on computers located in industrial environments, the attackers expected to that the malware would encounter some restrictions and security policies enforced at the protected network perimeter," Botezatu states in an analysis posted to BitDefender's site.

If a Flame-infected computer cannot connect to the Internet, it will infect any USB drive mounted by the system. Once infected, the attack will then copy files from the system to the drive, giving Word, Excel, and PowerPoint documents highest priority. If the drive still has space, it will copy CAD files and, last, JPEG files.

When the infected drive is inserted into another computer, it could spread the Flame virus -- although that functionality seems to be inactive. Instead, the program will attempt to connect to the Internet only on systems already infected. If Flame cannot communicate to the command-and-control servers, it will again copy files, clearing lower-priority documents to make space for additional data.

If the new system can connect to the command-and-control server, then Flame will copy the USB drive's contents to the computer. Its task is complete.

"What is of particular importance here is that Flame won't store leaked documents until it is sure that that specific memory stick had been plugged into a system with Internet access or -- to be more precise -- a system that succeeded in contacting the C&C servers," states Botezatu in his analysis.

This article, "Flame stashes secrets in USB drives," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.