If Stuxnet was the Ali of malware, then Flame is a Sumo wrestler
Several Flame files claim to be Microsoft Windows components, but none are signed with a valid private key – unlike the signed files used by Duqu and Stuxnet, the previous stars of cyber-espionage.
Stuxnet targeted industrial control systems and was designed for sabotage. Duqu, like Flame, was geared towards industrial espionage. However the similarities stop there. Stuxnet and Duqu were built from the same building blocks, whereas Flame used a completely different architecture.
A lot was made of the modular design of Flame but this isn't new either. Chris Wysopal (AKA Weld Pond), a former member of Boston-area hacking collective L0pht and who later founded the application security firm VeraCode, noted with some disdain that the Back Orifice 2000 hacker tool included modular functionality when it came out 12 years ago.
The creators of the malware remain unknown, but the development effort involved means it must have involved a larger dedicated team. Flame is not designed to steal money from compromised bank accounts or some other profitable scam, which would appear to rule out cybercrooks.
It's certainly not the work of hobbyists and unlikely to be the work of hacktivists, who tend to favour extracting data via website compromises and by running denial-of-service attacks.
Hacktivists tend to favour much simpler tools rather the Sumo-sized, complex threats like Flame, anyway. The nature and location of targets as well as the complexity of the threat leaves intelligence agencies or military contractors as the most likely creators of the cyberattack tool.
Very spooky software
Hungarian security researchers at CrySyS reckon that Flame was "developed by a government or nation state with significant budget and effort", the one point on which there's general agreement.
The experts reckon a military sub-contractor was likely to have carried out the work rather than an intelligence agency. To support this theory, it cites job adverts by Northrop Grumman for a software engineer to work on offensive cyberspace missions. Lots of other defence contractors, including Lockheed Martin and Raytheon, have positions for this type of project, F-Secure adds.
By contrast the best theory about the creation of Stuxnet was that it was created by Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – possibly with US assistance, and tested against similar centrifuges at Dimona.
A show-reel screened during the retirement of Gabi Ashkenazi, former IDF Chief of Staff, cited Stuxnet as an operational success, The Daily Telegraph reports. The Stuxnet code can be read to include references to various significant dates such as the date in 1979 when Habib Elghanian, a Persian Jew, was executed in Tehran.
The Stuxnet malware contains a string called MYRTUS, which might correspond to Queen Esther, a figure from the apocryhal Book of Esther who informs the Persian King Xerxes, her husband, of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born Hadassah, which means Myrtle tree in Hebrew.
This is nice fodder for conspiracy theories, but it's much more likely that MYRTUS is a misspelling of "My RTUs" – a management feature of SCADA industrial control systems.
Flame is best described as a cyber-espionage toolkit that establishes a backdoor, and spreads via infected USB devices and local networks – under the control of its unknown masters. The initial mode of infection likely involved planting the malware in a machine using an infected USB drive, then allowing it to spread within a targeted network, but no further.
Cyber-espionage attacks of the type commonly blamed on China tend to involve spoofed emails with booby-trapped documents. Western agents, by contrast, seem to prefer avoiding email as a delivery mechanism, instead relying on infected memory sticks to spread viruses.
Components of Flame include units named Bunny, Frog, Munch and BeetleJuice - a different naming scheme stripped of the mythical and political significance that might be attached to naming schemes used in Stuxnet, for example.
It's all hyperbollox
The spread of Flame has largely been confined to one corner of the globe, but this sort of geographical targeting but this isn't out of the ordinary, according to Rik Ferguson of Trend Micro.
"Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently," Ferguson writes.
"Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of modular information stealing Trojan.
"In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT.
"Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key-logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new: have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics."
Ferguson concludes that stripped of the hype, Flame is reduced to a "big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself". Flame's one unique claim to fame, according to Ferguson, is that it uses the Lua programming language, and "that’s unique in malware terms I guess, but not something that elevates the inherent risk".
While unknown in the field of virus creation, Lua is widely used elsewhere, most notably by computer game-makers such as Rovio for Angry Birds.
Next page: How did it slip under the radar?
This article reads strangely, at least to a non-professional in the security field
Reading some paragraphs the virus was in no way special or clever (though it was big), while reading others it managed to go on completely undetected for an unspecified number of years, while deleting critical information and performing other functions which can't be ascertained or traced back to a culprit.
Likewise, the coding of the virus is not especially unusual or exciting, but will take months and possibly years to decipher.
It may be because I work in a commercial word used to trumpetting even modest failure as startling success, but if I'd delivered a project that met such clearly defined goals over such a long period and didn't leave any significant threads for people to pull apart at the end then I'd feel like i'd done a pretty good job.
20Mb? Modular beyond all reason? It sounds like "enterprise grade" malware to me...
Re: This article reads strangely, at least to a non-professional in the security field
Agreed. It seems the significance of Flame would be in it's apparent (but not really known) effectiveness...and possibly over a rather extended period of time. Being small, creating a large botnet, or being innovative, getting pats on the back from The Register, obviously weren't primary design goals.