Feeds

'Super-powerful' Flame worm actually boring BLOATWARE

More Jabba the Hutt than lean Windows killing machine

Using blade systems to cut costs and sharpen efficiencies

If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.

Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.

A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.

The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.

It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.

Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.

Very spooky software

Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.

The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.

By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.

A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.

The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.

This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.

Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.

Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.

Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.

It's all hyperbollox

The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.

"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.

"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.

"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.

"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."

Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".

While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.