Flame malware uses geotags to pinpoint photo location

 

Gallery

By Stewart Mitchell

Posted on 31 May 2012 at 09:55

The Flame malware attack that has hit the Middle East and has been touted as a cyber espionage weapon can hunt down location information in pictures, according to one security expert.

Flame has been dubbed as the biggest cyber espionage discovery since the Stuxnet attack that targeted Iran's nuclear programme, and location data could be a key payload for the malware's creators.

Weapons company BAE Systems has been studying the code and discovered that among other snooping capabilities, Flame can find and extract exact geolocation data of where photographs were taken and potentially reveal the location of the infiltrated system.

Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located

“This particular DLL component of the Flame threat is designed to locate various files in the system, read their contents and populate the SQL database with the file contents and characteristics,” said Sergei Shevchenko on the company's Stratsec research blog.

“In addition, this file is capable of collecting geographical identification metadata that may be present in the files it inspects.”

The research highlighted how many popular phones and cameras used either GPS or Wi-Fi location data to tag images.

“Retrieving the geotagging data allows this Flame component to find GPS coordinates of the location where the pictures were taken, or with some statistical probability, where the compromised system is (has been) located,” Shevchenko said.

The component was also able to locate Office, PDF and AutoCAD files and extract details such when files were created and the author, Shevchenko said.