Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Beginner's guide to SSL certificates

If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.

Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.

A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.

It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.

Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.

Very spooky software

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.

By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.

A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.

The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.

This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.

Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.

Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.

Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.

It's all hyperbollox

The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.

"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.

"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.

"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.

"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."

Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".

While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.