Cyber-Espionage Malware Features Bluetooth Functionality

By Computerworld, 1-Jun-2012

Symantec writes that W32.Flamer is potentially the only Windows based threat discovered that uses Bluetooth

Cyber-Espionage Malware Features Bluetooth Functionality

The “Flame” threat represents a more complex form of cyber weapon, since the first of such sophisticated malware, Stuxnet,was identified in 2010, say anti-virus companies. As Symantec puts it, “W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth.”

Symantec states in its security response blog that this is an “exceptional … (and) comprehensive information gathering and espionage tool”.

The blog paints three scenarios of where and how this bluetooth functionality can be used by attackers; from mapping the infected users' social and professional circles, to identifying the physical locations of infected users, and even extracting information from other Bluetooth devices that are within range.

The blog states that “The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice"”, which when triggered “according to configuration values set by the attacker” would perform 2 primary functions. 

As the blog describes, firstly it would scan all Bluetooth devices that are in range, and having found such a device, would then record the details of the said device – this information would then probably “be uploaded to the attacker at some point”.

Symantec explains that Flamer then configures itself as a bluetooth beacon: “This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area.” 

The blog paints three scenarios of where and how this bluetooth functionality can be used by attackers; from mapping the infected users' social and professional circles, to identifying the physical locations of infected users, and even extracting information from other Bluetooth devices that are within range.

"In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed.”

"By continuously monitoring the Bluetooth devices within range of a W32.Flamer compromised computer, the attacker can build a profile of various devices encountered throughout the day” says Symantec. ” Over time, as the victim meets associates and friends, the attackers will catalog the various devices encountered, most likely mobile phones.”

Symantec then explains how using the Bluetooth functionality, attackers can identify the location of a compromised device.

"Bluetooth operates over radio waves. By measuring the strength of a radio wave signal, an attacker can measure if he is she is getting closer or further away to a particular device. With the Bluetooth beacon turned on, and with the details of a particular compromised device available in the description field, it is straightforward for the attacker to identify the physical location of a W32.Flamer compromised computer or device.”

The blog points out that, “The more sinister aspect of this passive sniffing is that it allows the attacker to pinpoint a victim and, therefore, more easily track them in the future.”

Symantec claims that attackers could also “upload a new malicious Bluetooth Lua app into the FLAME store for download onto a compromised device.” As per the blog, this would enable the attackers to: “Steal contacts from an address book, steal SMS messages, steal images; “use a device to eavesdrop “by connecting “a compromised computer to a nearby device and (enabling) handsfree communication”; and “Exfiltrate already-stolen data through any nearby device's data connection”. 

In conclusion the report states “The various theories described here are all practical attacks, easily to implement by a skilled attacker. The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled and such attacks are well within their capabilities.”

LATEST NEWS

  • AMD may Build ExactTrak Data-zapping into its Chips, to Compete with Intel vPro

    AMD said Thursday that it signed a deal with ExactTrak to embed the security company's technology inside its microprocessors. While no new products accompanied the announcement, the deal leaves open the possibility that AMD-based PCs could be remotely zapped--yes, literally--by users or network administrators.

  • Intel to Close $15 bn (about Rs 90,000 crore) Deal to buy Altera

    California based global tech giant, Intel, is set to close a deal to buy fellow chip maker Altera Corp. for about $54 (about Rs 3,480) per share, 15 percent more than Altera’s closing share price on Thursday, $47 (about Rs 2,620).

  • Server Sales Bolstered by Cloud Expansions

    Server vendors recorded the strongest shipment growth in over four years for the first quarter, mainly driven by continued investments in the hyperscale server infrastructures that power public and private clouds.

  • Salesforce Doubles Down on Big Data with New Analytics Tool

    All the data "lakes" in the world won't amount to much if you can't figure out what they mean for your business. With that in mind, Salesforce on Thursday unveiled Salesforce Wave for Big Data, a new tool designed to help business users make sense of their information stores using the Salesforce Analytics Cloud.

More news »