Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

5 things you didn’t know about cloud backup

If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.

Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.

A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.

It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.

Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.

Very spooky software

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.

By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.

A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.

The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.

This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.

Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.

Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.

Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.

It's all hyperbollox

The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.

"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.

"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.

"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.

"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."

Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".

While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?