Super-powerful Flame worm could take YEARS to dissect

But it shares same scripting tech as Angry Birds

Bridging the IT gap between rising business demands and ageing tools

Analysis The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse.

Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have been in circulation for at least two years (and perhaps much longer) but only hit the news on Monday following a series of announcements by security groups and antivirus firms.

Iran's National Computer Emergency Response Team published a warning about the data-stealing virus, promising an antidote: so far the malware has completely evaded detection by commercial antivirus scanners. Iranian researchers described the malware as a "close relation" to Stuxnet, the famously well-engineered nasty that sabotaged industrial control systems linked to Iran's controversial nuclear programme.

Kaspersky Lab said the UN International Telecommunication Union had alerted it to Flame and asked for help analysing the malware, which was believed to be wiping information from Middle Eastern computers. Kaspersky said the unusually large virus has been spreading since March 2010.

However, Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) fear Flame may have been active for somewhere between 5 to 8 years. The Budapest-based lab published a preliminary analysis [PDF] of the malware, which it dubbed sKyWIper - the CrySys Lab realised the complex piece of malicious software that they had been analysing for weeks was clearly a build of Flame.

Other security firms have since waded in with their own observations and early analysis; confusingly, other researchers are calling the threat either Viper or Flamer.

There's general consensus that Flame is the most elaborate malware threat ever uncovered, and that it was almost certainly developed by a state-sponsored team. The Hungarian team concludes that the malware was "developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities".

How Flame spread its digital inferno

The 20MB virus compromises Windows-based PCs and stealthily installs itself before stealing data and passwords, taking screenshots and surreptitiously turning on microphones to record audio conversations. The malware sets up a backdoor and opens encrypted channels to command-and-control (C&C) servers using SSL protocols.

Flame shares some characteristics with the early Duqu and Stuxnet worms, but also has a number of differences.

Like Stuxnet and Duqu, Flame malware can spread via USB sticks and across insecure networks. All three infect machines running Microsoft's operating system. Flame contains exploits for known and fixed vulnerabilities, such as the print spooler's remote code execution bug and the .lnk security hole first found in Stuxnet.

However, Flame is much more complex than either Stuxnet or Duqu: it is made up of attack-launching modules that can be swapped in and out as required for a particular job; it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library.

It also executes a small set of scripts written in Lua - a programming language favoured by computer game makers such as Rovio for Angry Birds. These direct the operation of the attack modules.

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid (or even possibly stolen) private key - unlike the signed files used by Duqu and Stuxnet.

Both Duqu and Stuxnet targeted industrial control systems, while Flame is far more promiscuous. Crucially, analysis suggests that while Stuxnet and Duqu use the same building blocks (a common platform most likely used by the same programming team), Flame is independent of this architecture.

"The threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex," McAfee notes, hypothesising that Flame might be a "parallel project" to Stuxnet and Duqu.

Worm rears head after attacks on oil field systems

Over recent weeks, prior to Monday's announcement about the malware, Iran reported intensified cyber-attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks. This may be linked to a decision last month to disconnect the main oil export terminal on Kharg Island in the Persian Gulf following a computer virus infection.

"Evidently, the threat has been developed over many years, possibly by a large group or dedicated team," McAfee notes.

"We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants."

Symantec agrees with its rival's assessments that Flame was developed by a team, concluding that the "code was not written by a single individual but by an organised well-funded group of personnel with directives". Unlike Stuxnet, Flame is not particularly targeted and has spread to civilians' systems in many countries.

"Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear," Symantec said.

"However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections."

David Harley, senior researcher at ESET, agreed with McAfee that Flame and Stuxnet are more different than they are similar.

"Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area," Harley said. "While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be purely speculative right now, as the code seems very different."

Other than saying it's likely the work of state-sponsored black hat coders, possibly in the employ of an intelligence agency, nobody is speculating who is behind Flame. A lot of the same caveats apply to Stuxnet, but circumstantial evidence does point towards some sort of joint Israeli-US operation.

Even though the full capabilities of Flame, much less who created it and why, remain a bit of a mystery, security firms can at least add detection for the malware now that samples are circulating among researchers.

"Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It's code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all," writes Graham Cluley, a senior security consultant at Sophos. "Fortunately, complete code analysis is not necessary to add detection." ®

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.