Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Protecting against web application threats using SSL

Analysis Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code.

The cyber-espionage toolkit – reckoned to have been in circulation for at least two years and possibly much longer – created a fire-storm of publicity after Iranian authorities published a stark warning about the virus on Monday.

On the same day, antivirus experts at Kaspersky Labs and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who had been independently working on analysing the same malware, published their own preliminary analyses.

The Kaspersky experts had been called in by the International Telecommunication Union, which wanted to crack the riddle of a mystery Trojan outbreak that was wiping data off compromised machines in the Middle East.

Flame, which comes with a complex variety of libraries and swappable modules, weighs in at a monster (arguably bloated) 20MB. That's about 40 times larger than Stuxnet, a heavyweight itself by malware standards.

But size is far less important than how many systems it has infected and what damage it causes.

Who's on the hit-list?

Estimates from Kaspersky (here) suggest Flame has only infected 1,000 Windows-powered computers almost exclusively across the Middle East in countries including Iran, Israel and Syria, though it has been found as far down as Sudan in north Africa.

Compromised targets include governmental organisations, educational institutions and home users. Circumstantial evidence suggests that the data-stealing malware infected systems at Iran's main oil export terminal on Kharg Island in the Persian Gulf last month, prompting a decision to disconnect systems there. Flame may also have infected the computers of high-ranking officials, causing a "massive" data loss, unconfirmed reports suggest.

Iranian authorities, who claim to have developed an antidote to Flame, are pointing the finger of blame towards Israel, suggesting the encryption scheme used by the worm is characteristic of those built by Israeli malware writers. The encryption link is tenuous at best.

Nonetheless the Iranian angle adds intrigue, especially in light of the Kharg Island infection. Yet a sober look at the malware suggests its spread is modest and its actions on compromised systems are standard fare for modern viruses, contrary to reports earlier this week.

Game changer? Maybe not

Rather than redefining cyberwar and cyberespionage, as Kasperky researchers initially claimed amid Iranian warnings that the malware was "a close relation to the Stuxnet and Duqu targeted attacks", Flame is bloated and overhyped, according to rival security vendors.

Flame is a precise attack toolkit rather than a general-purpose cyber-weapon, the argument goes. It hasn't spread very far and might well be restricted to systems administrators of Middle East governments.

"While it really doesn't do anything we haven't seen before in other malware attacks — what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system," Patrik Runald of Websense explains.

"Also, Flame has been operating under the radar for at least two years, which counter-intuitively may partially be attributed to its large size."

My dad's botnet is bigger than yours

By comparison to the 1,000-or-so systems hit by Flame, the Flashback Trojan infected 600,000 Mac OS X computers earlier this year and created the first botnet on Apple machines in the process.

The DNSChanger Trojan, linked to click-fraud and scareware scams, compromised four million Windows machines prior to a takedown operation in March.

The infamous Conficker worm hit upwards of 9 million systems, forcing the disconnection of systems at Greater Manchester Police for three days while also causing disruption at a hospital and the local council, and even managed to infiltrate the Houses of Parliament.

A run of Windows worms – Sasser, Nimda and Code Red – caused network congestion and comparable disruption when they appeared in separate incidents between 1999 and 2004. Viruses that spread by email attachments – such as the Love Bug, SoBig and Anna Kournikova nasties – brought mail servers and inboxes to their knees.

Banking Trojans created using the ZeuS or SpyEye toolkits have resulted in massive losses to banks and small businesses while infecting hundreds of thousands of systems.

Flame, on the other hand, has only infected hundreds of PCs. The malware is clearly designed for information-gathering and espionage but, again contrary to early reports, it isn't doing anything much out of the ordinary from a technical perspective.

Spy craft

The malware infects computers running Microsoft's operating system, and stealthily installs itself before stealing information, logging keystrokes, sniffing network traffic and capturing screenshots. It can also surreptitiously turn on microphones to record audio conversations, and then uploads all of this data to remote command-and-control servers.

Flame is built with many interlinked modules and is capable of handling a complex mix of remote instructions. Dozens of pieces of malware or malware frameworks infecting millions of PCs bundle similar capabilities.

Slurps info from Bluetooth kit

When Bluetooth hardware is available, Flame collects information about discoverable devices near the infected machine.

Only the Bluetooth activity in this list is in any way remarkable, says PandaLabs.

Another curious and somewhat innovative feature of the malware is its ability to turn its worm-like spreading functionality on and off.

"Even though it is a worm, its spreading mechanisms are disabled. It looks like whoever is behind it can activate that feature when needed," explains Luis Corrons, technical director of PandaLabs.

The malware also bundles clean-up routines designed to purge it from systems that have been compromised.

"There seems to be a module named 'browse32' that's designed to search for all evidence of compromise (eg, malware components, screenshots, stolen data, breadcrumbs, etc) and carefully remove them," Gunter Ollmann, VP of Research at Damballa explains.

"While many malware families employ a clean-up capability to hide the initial infection, few include the capability of removing all evidence on the host (beyond trashing the entire computer). This, to my mind, is more reflective of a tool set designed for human interactive control — ie, for targeted attacks."

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.