Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Beginner's guide to SSL certificates

If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.

Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.

A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.

It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.

Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.

Very spooky software

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.

By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.

A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.

The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.

This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.

Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.

Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.

Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.

It's all hyperbollox

The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.

"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.

"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.

"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.

"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."

Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".

While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.