Flame's unique trick: Using Bluetooth to spy on victims
Among the interesting aspects of the recently identified W32.Flamer malware is its use of Bluetooth to spy on its victims, researchers at Symantec Security Response said.
“I’m not aware of any malware that has used this before,” said Symantec’s Liam O Murchu. “I think it’s completely new.”
Bluetooth is a proprietary wireless technology typically used for personal-area networks, connecting peripherals such as audio earpieces and keyboards to devices. It is unlikely to produce information that could easily be monetized, so it has not been adopted by criminals who write much of the malware plaguing computers today.
‘Flame’ raises spyware to new levels, but who’s behind it?
“You’re really talking about people interested in espionage,” O Murchu said. “It fits in with the other information we have about Flamer, which is that it’s an espionage tool.”
Flamer, also known as Flame and sKyWIper, was identified in May and quickly gained notoriety as the largest and one of the most sophisticated pieces of malware yet found. It also is one of the stealthiest, since, despite its size of 20 megabits, it apparently was around for years before it was detected. Researchers at CrySyS Lab at the Budapest University of Technology and Economics have identified elements that date as far back as 2007.
One reason for its successful stealth is that it appears to be dedicated to quiet information gathering against a small group of individuals, mostly in the Middle East.
Comparisons with the Stuxnet worm, which targeted and damaged uranium processing equipment in Iran, were immediately made. But the exact relationship between the two, if any, has been hard to pinpoint. Most researchers agree that they are not the work of the same individuals.
(In a New York Times article attributing the Stuxnet attack to the United States and Israel, U.S. officials said Flamer was not part of that program, which was called the Olympic Games.)
“We know they were not written by the same team,” O Murchu said. They share some similar exploits but use different code. “There is no particular connection between the two threats” except that they appear to be state-sponsored tools targeting the Middle East.
Flamer-infected computes scan for and query other Bluetooth devices within their range, recording the device ID. It also advertises itself as a Bluetooth beacon so that other enabled devices will connect with it.
Symantec researchers speculate that this is used to build a profile of the devices the victim comes into contact with, which could be used to identify social networks and build maps of interactions with others. It also could be used to specifically locate the victim.