Flame’s reputation as an all-purpose malware, or as Andy Greenberg phrased it in a forbes.com piece, the “Swiss-Army knife” of cyberspying, just revealed another capability. It turns people into data mules.
Reports Greenberg, “Instead of simply uploading stolen data to a remote server as traditional spyware does, Flame can also move the target information–along with a copy of itself–onto a USB memory stick plugged into an infected machine, wait for an unwitting user to plug that storage device into an Internet-connected PC, infect the networked machine, copy the target data from the USB drive to the networked computer and finally siphon it to a faraway server.”
Malware analyst Bogdan Botezatu says, “It turns users into data mules. Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is somewhat revolutionary for a piece of malware.”
A better analogy than the mule is a flower. A flower can’t move over to where another flower is to pollinate it. So it uses an innocent honeybee as a go-between. Mule or flower, it all comes out to the same thing. Flame can burn a network even if it’s not touching directly.
Greenberg explains Flame’s technical details when it comes to “mule-ery”, “Flame was designed to use the same .lnk autorun vulnerability first exploited by the NSA-built Stuxnet malware to invisibly install itself on USB devices.
“To hide its trove of stolen data on the user’s device, Flame copies both itself and its data to a folder labeled with a single ‘.’ symbol, which Windows fails to interpret as a folder name. (Therefore, it’s invisible to the user.)
“When an infected USB is plugged into a networked machine, Flame checks that it can contact its command and control server through that computer. Then it moves its target data off the USB to the PC, compresses it, and sends it to the remote server via HTTPS…. (R)esearchers found that while Flame is capable of infecting networked PCs for the purpose of exfiltrating its data (, Flame can render the) infection capability inactive, perhaps to avoid the spyware spreading too far, so that only PCs already infected with Flame would be capable of acting as gateways back to the malware controller’s server. The fact that the spyware’s infection technique [can be] turned off may be evidence that the “data mule” in the Flame operation may in fact [be] aware of his or her role as a data smuggler.”