What makes Flame so unusual is its size. It's much
larger than some of the largest malware instances that researchers have
found. For instance, the infamous Stuxnet virus that was targeted at
Iran’s uranium enrichment facilities several years ago was 500
kilobytes,
according to Wired.
“Flame is a sizable beast," said Graham Cluley of Sophos Security, a
publisher of digital security software. "With all its components in
place, it's approximately 20MB. And this is one of the reasons why
people have bandied phrases around like 'biggest' and 'most
sophisticated.' Reverse engineering 20MB of code is a sizable piece of
work."
Researchers have only scratched the surface of what is hidden in all
that code. Stuxnet (and its sister DuQu) took researchers months to
figure out exactly what it did and where it might have come from. Flame
will take a lot longer.
Table comparing Flame and Stuxnet from CrySyS at Budapest University of Technology and Economics
Flame, at its core, is spyware. It has the ability to log key strokes
from an infected user’s computer, use the computer’s sensors such as
the microphone and Web cam to record what is being said around it, and
take screenshots. It can also sniff a network to steal passwords, be
spread through USB drives and local networks, and transfer data to
command-and-control servers. It can infect Windows XP, Vista and Windows
7 computers.
This is not your ordinary spyware, though. While it does have some
simple and basic elements of spyware (which can key log and use the
microphone as well), its sheer girth betrays a more sophisticated
approach.
Normal spyware is not hard to detect. It is usually some type of
derivation of existing malware that has been repurposed by hackers and
distributed through normal channels such as spam or infected websites.
Antivirus companies such as Symantec (Norton), Kaspersky, Sophos,
Bitdefender and others recognize the spyware shortly after it is
discovered and issue a detection kit for it. Microsoft then comes out
with a patch and the cat-and-mouse game between the malware writers and
security companies goes on. To a certain extent, this is what has
happened with Flame. Detection and removal kits have already been
released by security companies including Sophos and Symantec, as well as
the
Iranian government.
But the size and uniqueness of Flame may prove to be more than the
antivirus companies realize. Right now, the detector kits are looking
for specific instances within the Flame code to help detect the virus.
For instance, code samples with “flame” or “wiper” are detected and
blocked. The thing is, Flame is not exactly new. It has been in the wild
for more than five years, perhaps in varying forms that have been added
to over time. Much of Flame may have been compiled in 2011, but bits of
it may be older. Flame’s ability to avoid detection over time speaks to
its unique properties. Those properties could also speak to its source.
Flame also uses a unique programming language to the malware world:
Lua. Lua is used primarily by game developers to create cross-platform
applications for iOS and Android. It is similar to C++ but easier to
update and communicate with.
“Lua is normally used for convenience," said Liam O Murchu,
operations manager of Symantec Security Response. "As a scripting
language it is much more high-level than C++ and it is easier to write
in. Also, it is very easy to update the Lua part of the code and change
the behavior of the threat in a very fluid and fast way. Often the Lua
portion can be updated without recompiling and redeploying the software
in question.”
Flame (sKyWIper) startup sequence from CrySyS
Flame is well organized in how it communicates and translates data.
In an infected machine, it can perform a variety of tasks including
wiping out its own existence as well as any other malware on the
machine. This is a tactic used by other sophisticated viruses – becoming
their own antivirus programs – presumably because other, less
sophisticated viruses could lead to the discovery of Flame itself. When
Flame retrieves data, be it key logs or screen shots, it uses high- and
low-level encryption and HTTPS to send data back to its
command-and-control servers. That data is then organized into its
database through MySQLite, a smaller version of MySQL database
software.
In a nutshell: Flame can control almost every aspect of the computer,
disappear without a trace, encrypt its own communications and organize
the data it collects. That is one smart virus.
It is so large and smart that researchers have concluded that this
was not created by a random group of hackers looking to make some money.
(Now that its code is out in the wild, though, that may be part of its
future.)
“The results of our technical analysis supports the hypotheses that
sKyWIper [Flame] was developed by a government agency of a nation state
with significant budget and effort, and it may be related to cyber
warfare activities,” stated
a
technical report from the Laboratory of Cryptography and System
Security (CrySyS) at Budapest University of Technology and Economics.
Should average computer users worry about Flame? The short answer is no. Kaspersky Labs,
which initially reported on Flame,
only found several hundred instances of Flame among its client base,
most of them in Iran and Middle Eastern countries. Whoever created Flame
has been aiming it at specific targets, perhaps knowing that a virus
like this left unchecked in the wild could do serious damage.
“I think run-of-the-mill malware is a much more significant threat to
the vast majority of computer users than Flame,” Cluley said. “We have
had zero reports of Flame from any of our customers' computers
worldwide. Even Kaspersky, who appeared in the first media reports of
Flame, only reported a couple of hundred infected PCs. Flame pretty much
became the malware you didn't have to worry about because of the media
hoopla and antivirus products being updated in the last 36 hours or so.
You imagine that whoever was behind Flame is now pretty grumpy about
their malware attracting so much attention.”
