Close

Cyber-Espionage Malware Features Bluetooth Functionality

Symantec writes that W32.Flamer is potentially the only Windows based threat discovered that uses Bluetooth

Cyber-Espionage Malware Features Bluetooth Functionality

The “Flame” threat represents a more complex form of cyber weapon, since the first of such sophisticated malware, Stuxnet,was identified in 2010, say anti-virus companies. As Symantec puts it, “W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth.”

Symantec states in its security response blog that this is an “exceptional … (and) comprehensive information gathering and espionage tool”.

The blog paints three scenarios of where and how this bluetooth functionality can be used by attackers; from mapping the infected users' social and professional circles, to identifying the physical locations of infected users, and even extracting information from other Bluetooth devices that are within range.

The blog states that “The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice"”, which when triggered “according to configuration values set by the attacker” would perform 2 primary functions. 

As the blog describes, firstly it would scan all Bluetooth devices that are in range, and having found such a device, would then record the details of the said device – this information would then probably “be uploaded to the attacker at some point”.

Symantec explains that Flamer then configures itself as a bluetooth beacon: “This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area.” 

The blog paints three scenarios of where and how this bluetooth functionality can be used by attackers; from mapping the infected users' social and professional circles, to identifying the physical locations of infected users, and even extracting information from other Bluetooth devices that are within range.

"In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed.”

"By continuously monitoring the Bluetooth devices within range of a W32.Flamer compromised computer, the attacker can build a profile of various devices encountered throughout the day” says Symantec. ” Over time, as the victim meets associates and friends, the attackers will catalog the various devices encountered, most likely mobile phones.”

Symantec then explains how using the Bluetooth functionality, attackers can identify the location of a compromised device.

"Bluetooth operates over radio waves. By measuring the strength of a radio wave signal, an attacker can measure if he is she is getting closer or further away to a particular device. With the Bluetooth beacon turned on, and with the details of a particular compromised device available in the description field, it is straightforward for the attacker to identify the physical location of a W32.Flamer compromised computer or device.”

The blog points out that, “The more sinister aspect of this passive sniffing is that it allows the attacker to pinpoint a victim and, therefore, more easily track them in the future.”

Symantec claims that attackers could also “upload a new malicious Bluetooth Lua app into the FLAME store for download onto a compromised device.” As per the blog, this would enable the attackers to: “Steal contacts from an address book, steal SMS messages, steal images; “use a device to eavesdrop “by connecting “a compromised computer to a nearby device and (enabling) handsfree communication”; and “Exfiltrate already-stolen data through any nearby device's data connection”. 

In conclusion the report states “The various theories described here are all practical attacks, easily to implement by a skilled attacker. The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled and such attacks are well within their capabilities.”

LATEST NEWS

More news »