MTA REVIEW y Vol. XXII, No. 3, Sep.

2012

CLOUD COMPUTING IN CYBERWARFARE

ALECSANDRU PĂTRAŞCU1
DIANA MAIMUŢ2
EMIL SIMION3

Abstract: Although the Internet may be seen as a relatively new

technology, there is no doubt that it has quickly become a part of our
lives, starting from the way we are doing business and to the end-users
home. Together with it, new threats have developed: cyberthreats.
Cybersecurity and cyberwarfare emerge also as new vectors because
individuals, governments, and businesses are under attack from other
governments, hackers, and cybercriminals. The Cloud Computing
paradigm plays an important role in this cyber equation as new malware
uses own computer networks to infect, spread, or update itself, in a way
which was previously designed and developed only for the Cloud
environments. The main goal of our paper is to inform the reader about
these new threats, as we explain the new directions in Cloud Computing
especially by highlighting the involved security issues. We describe
modern capabilities that any Cloud provider should support, together
with a cryptographic side of future Cloud services – (fully) homomorphic
encryption. We present the details of a completely new malware,
stressing the ways it works and infects together with the way it spreads to
victims computers’ using a Cloud-like infrastructure – Flame.

Keywords: cloud computing, security, cybersecurity, malware, reliable

computing, homomorphic encryption, homomorphic operations,
semantic security.

1. Introduction
Cloud computing, as defined by the National Institute of Standards and
Technology (NIST) [1], is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,

1
Faculty of Automatic Control and Computer Science, University “Politehnica”
of Bucharest, 313 Splaiul Independentei, Sector 6, 060042, Bucharest, Romania,
e-mail: alecsandru.patrascu@gmail.com
2
Département d’Informatique, École Normale Supérieure, 45 rue d’Ulm, F-75230,
Paris Cedex 05, France, e-mail: maimut.diana@gmail.com
3
Advanced Technologies Institute, 10 Dinu Vintila, Sector 2, 021102, Bucharest,
Romania, e-mail: ati@dcti.ro
159
160 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.
On the other side, cyberwarfare is defined by the U.S. government
security expert Richard A. Clarke in his book [2], as “a set of actions taken by a
nation-state in order to penetrate another nation’s computers or networks for the
purpose of causing damage or disruption”. In a simple way, we can say that
cyberwarfare is the modern representation of the classic information warfare
which is represented an Internet-based conflict involving politically motivated
attacks on information and information systems in order to hack, sabotage, or
espionage.
Within this paper, we will discuss about the security involving today’s
Cloud Computing deployments, with a short description of this model’s goal, as
well as its advantages and disadvantages. All presented sections are included
and detailed in [3]. At this point, ReC2S system contains the needed
infrastructure for supporting these features. Within Section 2, we present
security issues in Cloud Computing and within Section 3, we tackle new
directions with respect to this domain. In Section 4, we further give the
definition of homomorphic encryption and describe the way in which it can be
related with ReC2S. Throughout Section 5, we will tackle the possible
connection between Cloud Computing and cyberthreats and we will briefly
present today’s malware action and propagation methods. In Section 6, we will
detail the case of the Flame malware, a threat that was designed especially for
cyberwarfare purposes. Finally, we conclude our document and shortly describe
future directions for this research domain.
As mentioned before, the Cloud Computing model promotes availability
and is composed of: a) five essential characteristics (On-demand self-service,
Broad network access, Resource pooling, Rapid elasticity, Measured Service),
b) three service models (Cloud Software as a Service – SaaS, Cloud Platform as
a Service – PaaS, Cloud Infrastructure as a Service – IaaS), and c) four
deployment models (Private Cloud, Community Cloud, Public Cloud, Hybrid
Cloud).
The Cloud Computing model offers the promise of lower costs combined
with increased IT support. The fact that governments and industry must consider
adopting this technology can be viewed as a critical point. However, Cloud
Computing technology is not yet mature and raises many challenges within
today’s datacenters and application design, especially concerning security. As
Armbrust et al. mention in [4], information security is the main issue in case of
Cloud Computing and for this reason there are potentially additional barriers to
cross to make Cloud Computing environments as secure as in-house IT systems.
In order to ensure the secureness of the data (it cannot be accessed by
unauthorized users or simply lost, data privacy must be maintained), cloud
providers interact with the following areas: data protection and reliability,
 Cloud Computing in Cyberwarfare 161

identity management, physical and personnel security, availability, application

security, privacy and legal issues.

2. Cloud Computing Security Taxonomy

The Cloud Security Alliance’s report [5, 6] contains a different sort of
taxonomy based on 13 different security domains. Also, we are provided with all
elements and guidelines that must be followed in a cloud computing
deployment. We will split all these in 4 different categories:
1) Traditional security in a computer network;
2) Availability of cloud computing applications;
3) Third-party data privacy;
4) Third-party data control.
2.1 Traditional security in a computer network
This category includes computer and network attacks that can be achieved
or made possible by using the infrastructure provided by a Cloud Computing
environment. Current cloud providers keep security issues in mind: protection of
sensitive data by masking it in order to block the access of unauthorized users
and other providers. More precisely, all individual cloud providers will state that
they offer a secure, safe, reliable, and more mature technology than their
competitors (or average companies).
Concerns in this category include:
– Attacks on virtual machines. Potential vulnerabilities in the
hypervisor or virtual machine technology used by cloud providers
represent a possible problem within today’s datacenters.
Vulnerabilities have appeared in VMware’s products [7], Citrix Xen
[8], Microsoft’s Hyper-V [9], OpenVZ [10].
– Cloud provider weaknesses. These vulnerabilities include platform
level (like SQL-injections or XSS). These vulnerabilities are well
known, they bring nothing new except the approach on cloud
computing which is different.
– Authentication and authorization. Almost all the existing
authentication and authorization frameworks do not cover a cloud
environment and do not extend to this direction. Two natural questions
arise: 1) How can a company use its frameworks to include and
connect to cloud resources? and 2) How can a company use its own
data together with a cloud computing environment? How can client
security metrics and policies be respected?
– Data stealing and leakage. On the Cloud Security Alliance website
[5], we can find a summary describing the difficulty of cloud forensic
investigations. Furthermore, we confront with the issue of data sniffing
and leakage. Today’s users must blindly trust third party cloud
162 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

computing providers like Amazon EC2 and Microsoft Azure that the
data handling is made securely and nobody except the source of it can
intercept or decode it. Above all, recent studies have shown that is
possible for a malicious user to discover and map the internal
infrastructure of the cloud infrastructure [11].
2.2 Availability of cloud computing applications
In this category, we gathered vulnerabilities concerning critical
applications and the availability of data they are processing. Well-publicized
incidents of cloud outages include Google Mail (one day in October 2008, two
hours on September 2009 and almost one day in February 2009), Amazon (over
seven hour on 20 July 2008 and up to 36 hours on July 2011).
Concerns in this category include:
– Cloud applications uptime. The same problem arises here, just like in
Traditional Security in a Computer Network section mentioned above.
Cloud providers are often too confident on their infrastructure and tend
to propagate this false assurance feeling to the end users and publish
lots of graph and white papers comparing their server’s uptime to the
one in a regular datacenter or network. Also, another issue appears
with the possibility of third-party cloud providers to fully scale to a
certain application requirements.
– Single point of failure. From the user point of view, cloud services
are thought of as providing more availability. This can be true only if
the providers assure that no possible points of failure and attack exist.
– Valid computation. The question that is issued here is how can a user
or an enterprise be assured that a cloud provider is correctly running a
hosted application and giving valid results? One example is Stanford’s
Folding@home project, which gives the same task to multiple clients
to reach a consensus on the correct result, but unfortunately this is not
a general behavior in cloud providers.
2.3 Third-party data privacy
This category contains vulnerabilities of legal implications of the data and
applications being held by third-party cloud providers. In this case, a lack of
control and transparency may be noticed. Because these issues are not fully
understood, users and more often companies prefer to implement their own
private clouds.
Concerns in this category include:
– Auditability. The problem in this case is quite different from the one
mentioned before: How can a cloud provider make sure that it offers
enough transparency for audit purposes? Also, how can the companies
responsible with audit be sure the information gathered is real and
 Cloud Computing in Cyberwarfare 163

reliable? Currently, this transparency is provided by documentation

and manual audits.
– SLAs. This has, in our opinion, a great impact on user and companies
interests because the cloud provider can have surprising legal
implications. For example, as stated in Amazon’s EC2 term of usage,
after you use EC2 you cannot file infringement claims against Amazon
or its customers suggesting that EC2 itself violates any of your patents.
– Cloud infrastructure design model. This problem is manifested in
case a certain cloud provider uses infrastructure leased from another
cloud provider. Who has control of the data? Who is more reliable to
hold our data? What happens with the data?
2.4 Third-party data control
In this category, we gathered issues that reflect the current status of third-
party data usage and how can a user control it.
Concerns in this category include:
– Fixed response time and data deletion assurance. The next two
questions are related to this category: 1) How can a user or company
get his response in a specified time frame? and 2) How can a user or
company be assured that in case of deletion stored data in a cloud
provider infrastructure is really deleted?
– Cloud data stealing. In this case we are referring to data theft by
cloud providers. For example, public applications like Google Mail or
Google Apps have a private cloud infrastructure and users and
companies are concerned about the data they store and process within
their infrastructure. The question that arises here is how can we be sure
that no one besides ourselves can “see” the data?
– Losing data access. How does a cloud user avoid losing access to a
particular cloud-computing vendor? The stored data might be encoded
in a proprietary format and there is also the problem of the user having
no control over changes and updates in cloud services.

3. New Directions
Considering current evolution of cloud computing and cloud providers
some new directions, which will become more and more important over time,
emerge. According to the Cloud Computing Journal [12] the technology
advances very fast within this new domain and, most important, “for the last
three years there has been no technology that is expected to have a
transformational impact in the next couple of years” [13]. It’s easy to see the
need of improvement with respect to this area.
We further describe some of the new directions in cloud computing
securities (which, in our opinion, are the most important ones):
164 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

– Information security. In order to allow companies to take control of

the data being stored in a cloud environment, we propose a change of
perspective: from nowadays data protection, which is external, to
inside data protection. Used or stored data must be encrypted, no
matter the environment. Another important thing is to know who has
access to this information. When data is used in such an environment it
must be aware of what is going to happen and it should check the
virtual machine on which it will run. This can be achieved by creating
intelligent algorithms that make use of advances in Artificial
Intelligence research.
– Trust management in remote servers. As we have previously
mentioned in Section 2, companies avoid switching to cloud services
because they must be entirely sure of what will happen to their once
stored remotely data. Data audit and specialized third-party security
audit companies must be involved to make sure data is not used in an
abusive way.
– Information privacy. In order to have all the data safe and processed
in a reliable way, a different approach must be taken. Fields like data
searching and indexing are no more reserved to particular uses, they
became mainstream. For example, if documents are stored in clear-text
mode, they can be searched using simple tools just by specifying a
certain keyword. This is impossible when using randomized
encryption schemes and state-of-the-art cryptography tools. Recently,
studies regarding schemes that allow computation over the encrypted
text were made. In our former example, we give the search engine an
encrypted keyword and the latest will answer with documents that
match the query, without looking at the clear-text. Newer
cryptographic schemes such as (fully) homomorphic encryption [14]
and private information retrieval [15] make all computations on
encrypted data (without decrypting).

4. Fully Homomorphic Encryption (FHE)

The concept of homomorphic encryption (HE) was initially referred to as
“privacy homomorphism”. The idea of constructing a system in which
ciphertext could be manipulated without being decrypted was stated in 1978
[16]. Still, for more than 30 years this remained a central problem in
cryptography: feasibility and even possibility of existence of such a scheme
were questioned.
We may consider HE a form of encryption where a specific operation
performed on the plaintext is equivalent to another operation performed on the
ciphertext [17, 18]. HE schemes can be used for opening new possibilities with
respect to systems like secure voting [19], creating collision-resistant hash
 Cloud Computing in Cyberwarfare 165

functions, setting up private information retrieval schemes, and, the most

important, enabling the use of cloud computing for everyone (they are believed
to assure data confidentiality). This may be a disputable method for the moment
mainly because of its limitations: high computational complexity (as
D. Naccache mentioned in an interview for “The Security Newsletter” Fall
2011, on a regular PC, key generation requires about 45 minutes), and, pointing
to cloud computing, the specific laws of the geographical region where the cloud
provider wishes to offer its services.
Nowadays, several efficient partially homomorphic cryptosystems
(unpadded RSA, ElGamal, etc. [17]) and three main fully homomorphic but less
efficient schemes (Gentry’s breakthrough, DGHV, and RLWE [20]) exist. Each
of the existing partially homomorphic systems allow homomorphic computation
of only one operation on plaintexts, either addition or multiplication, except for
Boneh-Goh-Nissim cryptosystem which allows an unlimited number of
additions and one multiplication. A system which supports both addition and
multiplication, managing to keep the structure of the plaintexts is known as
FHE. Such a scheme permits any circuit to be homomorphically evaluated, thus
to allow development of programs which must have their input and output data
in encrypted form and do the actual processing on the encrypted data, without
decrypting it (there is no leaking of input or internals). As we have mentioned
above, this permits outsourcing private computations in cloud computing
environments [21].
Inspired by a powerful cryptographic tool, C. Gentry had a different
approach: a lattice-based scheme. Supported by IBM, Gentry published [22] on
the 25th of June, 2009, the first FHE scheme [23, 24]. Gentry’s scheme handled
evaluation of arbitrary length circuits. He started from a “somewhat” HE scheme
using ideal lattices that was limited to evaluating low-degree polynomials over
encrypted data because each piece of ciphertext was “noisy” and this noise grew
up along with operations with operations of addition and multiplication until the
ciphertext became indecipherable. He modified his scheme and permit an
operation of bootstrapping which allowed the ciphertext to be refreshed
periodically (thus, reducing the noise). Gentry based the security of his scheme
on the computational hardness of ideal lattices and the sparse subset sum
problem. However, his proposal was rather theoretical, thus, still unpractical for
many of nowadays applications (the ciphertext size and thus the computation
time increased together with security level). Stehlé and Steinfeld managed to
decrease this time substantially and published their results in 2010 [25].
In 2009, M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan
presented a second fully homomorphic encryption scheme [14, 26, 27] based on
Gentry’s work, that used integers instead of ideal lattices (DGHV). This
approach was studied before in papers of Levieil and Naccache [28] and Cohen
[29]. In 2010, N.P. Smart and F. Vercauteren [30] presented another research
166 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

over Gentry’s scheme by giving smaller key and ciphertext sizes, but still not
fully practical. C. Gentry and S. Halevi presented at Eurocrypt a working
implementation of their research [31]. In 2011, J.-S. Coron, D. Naccache, and
M. Tibouchi presented a compression technique for reducing the public key size
of DGHV scheme [32]. Also, in December last year, C. Gentry, S. Halevi, and
N.P. Smart described in [33] an improvement of Gentry’s bootstrapping
technique (the only known one that gives a “pure” FHE scheme).
The reader may wonder how an FHE scheme can be described. As we can
see in [17] and [14], an FHE scheme includes the next four algorithms: the key
generation one (Keygen), the message encryption algorithm (Enc), the message
decryption one (Dec), and the homomorphic evaluation algorithm (Eval).
A scheme is fully homomorphic if for any boolean circuit
f : ^0, 1` p ^0, 1` , inputs m1 , ..., mA having values in ^0, 1` , pair of keys
A

pk , sk and ciphertexts ci Enc pk mi , i 1...A , the following equality holds:

Decsk Eval f , c1 , ..., cA f m1 , ..., mA .

5. Cyber Threats and Cloud Computing

It is quickly becoming apparent that modern conflicts don’t lay out their
weapons of choice in the traditional battlefield. Many nation-states are
increasingly employing cyberwarfare to attack other states or entities in an effort
to disrupt or disable critical technological infrastructure. Cyberwarfare is not
such a recent topic, as Richard Harknett wrote in a 1996 paper [34] that
“the essence of the Information Age is the emergence of a new form of
organization. The information technology network seamlessly connects all of its
parts, creating shared situational awareness throughout an organization. High
connectivity supports both enhanced sustainability and greater accessibility”. All
of that applies in today’s Cloud Computing technology and cyberwarfare
technologies.
For over a decade, dedicated IT software companies, like Google, have
spent a lot of time and money promoting the idea that it is cheaper for a
government and business to store, process and sell information and services out
from a Cloud, controlled by their computers. But the adoption of this technology
is slow because it involves much more outsourcing problems and raises privacy
and intellectual property issues that go beyond clicking an “I accept” button in
the License Agreement screen.
Most of the current Cloud users think that they are immune to
cyberwarfare. Nothing more wrong than this. Consider the following scenario,
with all its aspects. You own a company that uses “Company X Mail”, a
Software-as-a-Service technology for email communication. Your company is
responsible for processing credit card payments over the Internet and happens to
 Cloud Computing in Cyberwarfare 167

rely on Amazon Cloud Computing infrastructure. One day, you notice that you
can’t process payments because the online credit card transaction processor is
under attack. Then, you notice that the entire payment infrastructure goes down
because Amazon is also under attack. Company X Mail servers are also facing a
Distributed Denial of Service attack. Finally, you can’t even send requests for
support to the card processor, the payment infrastructure or even the email. At
this point your company is effectively knocked off from the Internet, even if
your own website is up and running.
The previous scenario, even if it seems a nightmare for any company, it
was put to practice in reality. A croudsourced group of pro-Wikileaks activists
have taken down, for a short period of time, the entire mentioned infrastructure
for companies like Paypal or Mastercard. Some were even more unlucky: the
PostFinance bank, a Swiss bank that shut down Wikileaks funding was down for
33 hours in the late 2010 [35].
Internet infrastructure is nowadays characterized by a major problem: the
more interconnected we are, the more dependent on the third-party technologies
and the more vulnerable we are in front of these attacks. The unpleasant part is
that we cannot disconnect ourselves from a certain supplier or the Internet these
days. One solution is to use multiple service providers as a backup. This allows
remaining online in case of an outage.
Cyber threats are no longer just a theoretical subject left over the last
pages in the security books. As we are starting to have an online life in parallel
with our physical life, they are a real threat. In our days, Internet Technologies
optimize the time needed for taking human and organizational decisions. For
example, we are using Internet for electronic communications, electronic
commerce, transactions and banking, for accessing different data bases in order
to process the information. All these actions, which interact with virtual
activities, must be protected from electronic fraud. Thus, we need to implement,
in the virtual space, security measures similar to real security measure.
But there is a difference: behind real life thefts there are humans which
interact with the goods and in the virtual space the thefts are made by viruses,
worms, malware applications which interact and monitor the actives of the
system. If we think that all these weapons (viruses, worms, malware applications
etc.) are produced by humans we can conclude that in the protection of the
system actives the human intelligence plays a definitive role and the critical
decisions must be taken by humans.
The problem is how to order these decisions (which are many) in such a
way that to be made, corrected and modified by a limited human intervention.
Terms like “zero-day attacks”, “botnets” and “malware” are becoming an
increased problem and are mentioned more and more. We will briefly present
these threats in the next paragraphs.
168 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

5.1 Zero-days attacks

A “zero-day attack” or threat is an attack that aims to exploit previously
unknown vulnerabilities in software applications. The term comes for the fact
that the attack occurs on “day zero” of awareness of the vulnerability and the
developers of the affected application had no days available for patching it.
These attacks come in a large number: malware, viruses, and Trojans, all
represent attacks vectors that target modern software and delivery networks. In
this equation the web browsers and the operating systems on top which they are
running represent the most widely targets because they are widespread on all
devices, starting with mobile phones and ending with desktops. Mail delivery
networks are also targeted because they can carry to a potential victim an
infected e-mail attachment. To cope with these threats organizations like
US-CERT and Zero Day Initiative dedicate their work in providing users cyber
security.
Since the vulnerabilities haven’t been yet reported and fixed there is no
way to protect ourselves from it before it happens. Of course, methods and
procedures for early detection exists, like:
– The use of VLAN’s with IPsec to protect the content of an individual
transmission;
– The use of Intrusion Detection Systems;
– The use of network access control to protect from rogue machines that
connect to a certain network.
5.2 Botnets
A botnet is a number of Internet computers that, although their owners are
unaware of it, have been mangled and have been set up to send and forward
different types of transmissions, including spam or viruses, to the other
computers on the Internet. The term comes from the fact that any infected
computer becomes a “robot”, or “bot” for short, that serves an attacker. Reports
from well knows security companies like Symantec and Kaspersky Labs reach a
common conclusion: botnets currently are the biggest threat to the Internet.
Computers that are used inside a botnet are those whose owners fail to
provide effective firewalls or other safeguards from the Internet. Furthermore,
we see that an increasing number of home computers benefit from high speed
Internet connections, thus aiding the efforts of the attackers. A bot is a program
attached to one of the computer ports that is left open and through this port a
remote program can connect to it.
One example is the usage of a botnet to redirect HTTP traffic to another
specific computer or website, in a Distributed Denial-Of-Service (DDoS) attack.
The remote website will be closed down because it cannot handle all the traffic.
Another example is the DNSChanger bot. This is a Domain Name System
(DNS) hijacking Trojan and it was distributed over the Internet as a download
 Cloud Computing in Cyberwarfare 169

claiming to be a video codec needed to view video content on bait pornography

sites. Once installed it modifies the target DNS configuration to point to bogus
servers over the Internet operated by an Estonian company called Rove Digital
and its hosting subsidiary Esthost. By now it is estimated that it infected over
4 million computers worldwide, many of them being at government agencies
and large companies like NASA, because the botnet can affect both PCs and
Apple computers. The scheme this botnet implements makes use of its linked
Trojans to divert Web traffic from its intended destination to that of advertisers
who paid for traffic delivery, thinking that it was provided through paid links.
This traffic was made to IP addresses falling into the following ranges:
– 85.255.112.0 through 85.255.127.255;
– 67.210.0.0 through 67.210.15.255;
– 93.188.160.0 through 93.188.167.255;
– 77.67.83.0 through 77.67.83.255;
– 213.109.64.0 through 213.109.79.255;
– 64.28.176.0 through 64.28.191.255.
5.3 Malware
Malware represents the software used or created by hackers to alter
computer operations. The goal is to gather sensitive information or to gain
access to private computer systems. Its form varies from a full software program
to a script. It is a general term that is used to refer to all forms of hostile and
intrusive software, like computer viruses, Internet worms, Trojan horses,
spyware, adware, and rootkits.
Being such a vast security domain there are many malware examples, but
we will present its newest form within the next section: Flame.

6. Flame
Flame malware was discovered on 28th May 2012 by the Iranian MAHER
CERT, Kaspersky Labs and the CrySyS Lab. The news coming from
cybersecurity researchers sounded like a story from a science fiction movie: a
surveillance program laid dormant on computers around the world for years,
secretly turning on microphones, taking screenshots, copying files, recording
keystrokes, spreading through Bluetooth, and sending all the information to
unknown servers over the Internet. Following an investigation request by the
United Nations International Telecommunications Union, the discovery of
Flame, the world’s most sophisticated known weapon of cyberwar, was made
public. Many of the infected computers belonged to deliberately targeted home
users. The most worrying fact was that this fine crafted software escaped
evasion by the world’s best antivirus software suites for years.
170 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

More details about Flame, with brief information regarding the way it is
infecting hosts, spreading mechanism and the command and control servers can
be found in this paper’s appendix.
6.1 General characteristics
Called “Flame” by Kaspersky Labs and “Flamer” by Symantec, the
malicious code beats Stuxnet in size – the infrastructure-sabotaging malware
that is believed to have breached Iran’s nuclear program in 2009 and 2010.
Although Flame has both a different purpose and composition than Stuxnet, and
appears to have been written by different programmers, its complexity, the
geographic scope of its infections and its behavior indicate strongly that a
nation-state is behind Flame, rather than common cyber-criminals – marking it
as yet another tool in the growing arsenal of cyber weaponry.
The researchers say that Flame may be part of a parallel project created by
contractors who were hired by the same nation-state team that was behind
Stuxnet and its related malware – Duqu [36].
Newer threats are also influenced by Flame. The Gauss malware [37] was
discovered on 9th August 2012. It is a complex cyber-espionage toolkit designed
to steal sensitive data, with a specific focus on browser passwords, online
banking account credentials, cookies, and specific configurations of infected
machines. The online banking Trojan functionality found in Gauss is a unique
characteristic that was not found in any previously known cyber-weapons.
Early analysis of Flame by the security labs indicates that it is designed
primarily to spy on the users of infected computers and steal data from them,
including documents, recorded conversations and keystrokes. It also opens a
backdoor to infected systems to allow the attackers to tweak the toolkit and add
new functionality.
The malware, which is 20 megabytes when all of its modules, with all the
versions are installed, contains multiple libraries, SQLite3 databases, various
levels of encryption – some strong, some weak – and 20 plug-ins that can be
swapped in and out to provide various functionality for the attackers. It even
contains some code that is written in the LUA programming language – an
uncommon choice for malware programming.
Flame appears to have been operating in the wild as early as 2007, though
it remained undetected by antivirus companies. As stated by security
researchers, “it took us half a year to analyze Stuxnet. This is 20 times more
complicated. It will take us 10 years to fully understand everything”.
Among Flame’s many modules is one that turns on the internal
microphone of an infected machine to secretly record conversations that occur
either over Skype or in the computers near vicinity, a module that turns
Bluetooth-enabled computers into a Bluetooth beacon and a module that grabs
and stores frequent screenshots of activity on the machine, such as instant-
 Cloud Computing in Cyberwarfare 171

messaging and e-mail communications, and sends them via a covert SSL
channel to the attackers command-and-control servers.
The malware also has a sniffer component that can scan all of the traffic
on an infected machine’s local network and collect usernames and password
hashes that are transmitted across the network. The attackers appear to use this
component to hijack administrative accounts and gain high-level privileges to
other machines and parts of the network.
It is also the first malware to use “prefix collision attacks” and uses five
different encryption modules based on substitution tables and linear feedback
shift registers.
What is interesting is the built-in capability to “suicide”. Compromised
computers regularly contact their pre-configured control server to acquire
additional commands. Following this request, the C&C server shipped them a
file named browse32.ocx. This file can be summarized as the module
responsible for removing Flame from the compromised computer. One could
also call it the “uninstaller”.
The module contains a long list of files and folders that are used by
Flamer. It locates every file on disk, removes it, and subsequently overwrites the
disk with random characters to prevent anyone from obtaining information about
the infection. This component contains a routine to generate random characters
to use in the overwriting operation. It tries to leave no traces of the infection
behind. It is natural that this component has not been seen and recovered from
the field, but instead it was captured in honeypots. Any client receiving this file
would start to remove all traces of Flame from the infected computer, including
this module itself.
6.2 Command and control servers
Since both Flame and Duqu appear to be targeting similar geographical
regions and have been created with similar goals in mind, we will provide an
analysis from the point of view of comparing the Flame C&C infrastructure with
the Duqu infrastructure.
These C&C servers resemble very much with a Cloud infrastructure
today. As malware is becoming smarter with every generation found in the wild,
we cannot see that the “traditional” one-computer way of infecting is rapidly
evolving and now is targeting whole computer networks, both personal or
public. This was a direct result following the evolution of the Internet. If slow
dial-up or ISDN connections were available as a way of connecting to the
Internet about 12-14 years ago, now we can buy rather cheap subscriptions from
ISP’s with a very large connection speed. This aids the malware designers,
allowing them to create large computer networks, which cooperate and work
together, with a single point in mind: helping a malware spread, auto-update,
collect and process data from the users. We can easily see that the points
172 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

mentioned before are the same as the promises made by the Cloud Computing
technology.
In the past, Kaspersky Lab analyzed the Duqu C&C infrastructure and
found several important details, such as the attackers preference for CentOS, the
use of SharpSSH to control the proxy servers and the huge number of hacked
proxies used to hide the true identity of the attackers.
In the case of Flame, a similar analysis was performed. First of all, it is
interesting to point out a big difference between Flame and Duqu: while all the
Duqu C&C proxies were CentOS Linux hosts, all of the known Flame C&C are
running Ubuntu.
Additionally, while Duqu used the super stealthy way of hiding the true IP
of the mothership using SSH port forwarding, Flame’s scripts are simply
running on the respective servers. The reason is simple – on Monday May 28, all
control scripts started returning 403/404 errors. In the case of Duqu, the real
malware scripts were on a remote server and were never found.
From this point of view, we can state that the Duqu attackers were a lot
more careful about hiding their activities compared to the Flame operators. In
Table 1 we can see a comparison between the Duqu and Flame C&C
infrastructure.
When a computer is infected with Flame, it uses a default configuration
which includes 5 C&C server domains. Before contacting these servers, the
malware validates the Internet connection by trying to access
www.microsoft.com, windowsupdate.microsoft.com, and www.verisign.com
using HTTPS. If the connection is successful, it will proceed to talk to the C&C
domains.
In addition to the static configuration, Flame maintains a database of
additional 5-6 C&C servers. In total, a running Flame installation can use a list
of about 10 domains to try to contact the C&C. Interestingly, Flame maintains a
log of activities which includes reports of connections to the C&C servers
together with timestamps.
While analyzing the Flame samples recovered from the Middle East, we
noticed they were trying to contact 5 different domains. Additional
configuration included 6 other domains. From activity logs, there were
recovered 5 other domains, from a total of 11 unique domains used by the
malware.
By looking at the IPs where the servers were hosted, there were identified
another 30 domains which were hosted on the same machines. By checking the
IP history of the additional domains, we discovered another 40 domains which
appeared to be connected. In total, over 80 different domains which appear to
belong to the Flame C&C infrastructure were discovered.
 Cloud Computing in Cyberwarfare 173

The Flame C&C domains were registered with an impressive list of fake
identities and with a variety of registrars, going back as far as 2008. In general,
each fake identity registered only 2-3 domains but there are some rare cases
when a fake identity registered up to 4 domains.
Table 1.
C&C server comparison between Flame and Duqu

Flame Duqu
Server OS Ubuntu Linux CentOS Linux
Running remote
Running on
Control scripts through SSH port
servers
forwarding
Number of victims
50+ 2-3
per server
Connection SSL and some
SSL
encryption proprietary AES
Compression Yes, Zlib and
No
of connections PPMD
Known C&C’s
80+ n/a
domains
Known C&C IPs 15+ 5
Proxies used to hide
Unknown 10+
identity
Time zone of C&C
Unknown GMT+2/GMT+3
operator
Infrastructure
Unknown .NET
programming
Built-in C&C
5, can update list 1
IPs/domain
SSL certificate Self-signed Self-signed
Servers status Most likely bought Most likely hacked
SSH connections Yes No

7. Conclusion
As a conclusion, we can state that fast advances in cybercrime and
cyberwarfare technology and techniques have resulted since the beginning of
2012 in an unprecedented rise in data breaches. We think that we need planning
in order to ensure that our online world is trustworthy and secure and as a direct
result we need to consider the fundamental changes that are occurring in the
cyberspace and try to adapt to them. Cloud Computing, being a new direction
for the entire cyberspace, together with the perspective on security issues of
174 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

such systems and their implications in today’s malware are beginning to get
more and more attention from researchers community and governments. In our
opinion, looking forward into the future of the 3 billion Internet users existing
today we can see four big directions for resolving the cyber security issues:
online users security education, mobile devices cryptography, online data
obfuscation, and Cloud services transparency and security.

References
[1] http://www.nist.gov/itl/cloud/index.cfm
[2] R.A. CLARKE, R.K. KNAKE – Cyber War: The Next Threat to National
Security and What to Do About It, Ecco, New York, NY, 2010
[3] A. PĂTRAŞCU, C. LEORDEANU, C. DOBRE, V. CRISTEA – ReC2S:
Reliable Cloud Computing System, Proc. of the European Concurrent
Engineering Conference, ECEC 2012, pp. 54-60, Bucharest,
Romania, Apr. 18-20, 2012
[4] M. ARMBRUST, A. FOX, R. GRIFFITH, A.D. JOSEPH, R.H. KATZ,
A. KONWINSKI, G. LEE, D.A. PATTERSON, A. RABKIN,
I. STOICA, M. ZAHARIA – Above the Clouds: A Berkeley View of
Cloud Computing, Technical Report No. UCB/EECS-2009-28,
University of California, Berkeley, CA, Feb. 10, 2009
[5] Security Guidance for Critical Areas of Focus in Cloud Computing V.30,
Cloud Security Alliance, https://cloudsecurityalliance.org/
guidance/csaguide.v3.0.pdf, Nov. 14, 2011
[6] R. CHOW, P. GOLLE, M. JAKOBSSON, E. SHI, J. STADDON,
R. MASUOKA, J. MOLINA – Controlling Data in the Cloud:
Outsourcing Computation without Outsourcing Control, Proc. of the
ACM Workshop on Cloud Computing Security, CCSW 2009, pp.
85-90, Chicago, IL, Nov. 13, 2009
[7] http://www.vmware.com/
[8] http://www.citrix.com/lang/English/home.asp
[9] http://www.microsoft.com/en-us/server-cloud/windows-server/hyper-v.aspx
[10] http://wiki.openvz.org/Main_Page
[11] T. RISTENPART, E. TROMER, H. SHACHAM, S. SAVAGE – Hey, You,
Get off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds, Proc. of the 16th ACM Conference on Computer and
Communications Security, CCS 2009, pp. 199-212, Chicago, IL, Nov.
9-13, 2009
[12] http://cloudcomputing.sys-con.com/
[13] http://cloudcomputing.sys-con.com/node/2154641
 Cloud Computing in Cyberwarfare 175

[14] C. GENTRY – A Fully Homomorphic Encryption Scheme, Ph.D. Thesis,

Stanford University, Stanford, CA, Sep. 2009
[15] B. CHOR, O. GOLDREICH, E. KUSHILEVITZ, M. SUDAN – Private
Information Retrieval, Journal of the ACM, Vol. 45, No. 6, pp.
965-982, Nov. 1998
[16] R.L. RIVEST, L. ADLEMAN, M.L. DERTOUZOS – On Data Banks and
Privacy Homomorphisms, In R.A. DeMillo et al. (Eds.), “Foundations
of Secure Computation”, pp. 169-179, Academic Press, New York,
NY, 1978
[17] D. MAIMUŢ, A. PĂTRAŞCU, E. SIMION – Homomorphic Encryption:
Schemes and Applications, Proc. of the 5th International Conference
on Security for Information Technology and Communications,
SECITC 2012, pp. 117-124, Bucharest, Romania, May 31-Jun. 1,
2012
[18] http://en.wikipedia.org/wiki/Homomorphicencryption
[19] R. RIVEST – Lecture Notes 15: Voting, Homomorphic Encryption,
http://web.mit.edu/6.857/OldStuff/Fall02/handouts/L15-voting.pdf,
Oct. 29, 2002
[20] M. NAEHRIG, K. LAUTER, V. VAIKUNTANATHAN – Can
Homomorphic Encryption Be Practical?, Proc. of the 3rd ACM
Workshop on Cloud Computing Security, CCSW 2011, pp. 113-124,
Chicago, IL, Oct. 21, 2011
[21] D. MICCIANCIO – A First Glimpse of Cryptography’s Holy Grail,
Communications of the ACM, Vol. 53, No. 3, p. 96, Mar. 2010
[22] C. GENTRY – Fully Homomorphic Encryption Using Ideal Lattices, Proc.
of the 41st ACM Symposium on Theory of Computing, STOC 2009,
pp. 169-178, Bethesda, MD, May 31-Jun. 2, 2009
[23] http://www-03.ibm.com/press/us/en/pressrelease/27840.wss
[24] M. COONEY – IBM Touts Encryption Innovation, http://
www.computerworld.com/s/article/9134823/IBM_touts_encryption_i
nnovation, Jun. 25, 2009
[25] D. STEHLÉ, R. STEINFELD – Faster Fully Homomorphic Encryption, In
M. Abe (Ed.), “Advances in Cryptology – ASIACRYPT 2010: 16th
International Conference on the Theory and Application of
Cryptology and Information Security, Singapore, December 5-9,
2010: Proceedings”, pp. 377-394, Springer, New York, NY, 2010
[26] C. GENTRY – Computing Arbitrary Functions of Encrypted Data,
Communications of the ACM, Vol. 53, No. 3, pp. 97-105, Mar. 2010
[27] M. van DIJK, C. GENTRY, S. HALEVI, V. VAIKUNTANATHAN –
Fully Homomorphic Encryption over the Integers, In H. Gilbert (Ed.),
176 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

“Advances in Cryptology – EUROCRYPT 2010: 29th Annual

International Conference on the Theory and Applications of
Cryptographic Techniques, French Riviera, May 30-Jun. 3, 2010:
Proceedings”, pp. 24-43, Springer, New York, NY, 2010
[28] É. LEVIEIL, D. NACCACHE – Cryptographic Test Correction, In
R. Cramer (Ed.), “Public Key Cryptography – PKC 2008: 11th
International Workshop on Practice and Theory in Public-Key
Cryptography, Barcelona, Spain, March 9-12, 2008: Proceedings”,
pp. 85-100, Springer, New York, NY, 2008
[29] B. COHEN – Simple Public Key Encryption, http://bramcohen.com/
simple_public_key.html
[30] N.P. SMART, F. VERCAUTEREN – Fully Homomorphic Encryption with
Relatively Small Key and Ciphertext Sizes, In P.Q. Nguyen, D.
Pointcheval (Eds.), “Public Key Cryptography – PKC 2010: 13th
International Conference on Practice and Theory in Public Key
Cryptography, Paris, France, May 26-28, 2010: Proceedings”, pp.
420-443, Springer, New York, NY, 2010
[31] C. GENTRY, S. HALEVI – A Working Implementation of Fully
Homomorphic Encryption, http://eurocrypt2010rump.cr.yp.to/
9854ad3cab48983f7c2c5a2258e27717.pdf, 2010
[32] J.-S. CORON, D. NACCACHE, M. TIBOUCHI – Public Key
Compression and Modulus Switching for Fully Homomorphic
Encryption over the Integers, In D. Pointcheval, T. Johansson (Eds.),
“Advances in Cryptology – EUROCRYPT 2012: 31st Annual
International Conference on the Theory and Applications of
Cryptographic Techniques, Cambridge, UK, April 15-19, 2012:
Proceedings, pp. 446-464, Springer, New York, NY, 2012
[33] C. GENTRY, S. HALEVI, N.P. SMART – Better Bootstrapping in Fully
Homomorphic Encryption, http://eprint.iacr.org/2011/680.pdf, Dec.
15, 2011
[34] R.J. HARKNETT – Information Warfare & Deterrence, http://ics-
www.leeds.ac.uk/papers/vp01.cfm?outfit=pmt&folder=66&paper=79,
1996
[35] F.Y. RASHID – PayPal, PostFinance Hit by DoS Attacks, Counter-Attack
in Progress, http://www.eweek.com/c/a/Security/PayPal-PostFinance-
Hit-by-DoS-Attacks-CounterAttack-in-Progress-860335/, Dec. 6,
2010
[36] http://www.kaspersky.com/about/press/duqu
[37] http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_IT
U_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_
Monitor_Online_Banking_Accounts
Cloud Computing in Cyberwarfare 177

Appendix
178 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

Appendix (continued)
Cloud Computing in Cyberwarfare 179

Appendix (continued)
180 ALECSANDRU PĂTRAŞCU, DIANA MAIMUŢ, EMIL SIMION

Appendix (continued)
Copyright of MTA Review is the property of Military Technical Academy Publishing House and its content
may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.