A cyberweapon of unprecedented sophistication is ripping through computer systems in the Middle East, security vendor Kaspersky Lab claims. It has dubbed the malware “Worm.Win32.Flame” — or “Flame,” for short.
Other security vendors, including McAfee and Symantec, have issued similar warnings, and there are claims that it was created, or at least backed, by a nation-state.
Flame is one of the most complex threats ever discovered, Kasperksy contends. However, the picture on Flame is far from clear. Various names have been given to various pieces of malware floating about, and it’s uncertain whether or not they all refer to the same code.
“It’s in the early stages of research at the moment,” Dave Marcus, director, advanced research and threat intelligence at McAfee, told TechNewsWorld.
Kaspersky Labs spokesperson Greg Sabey declined to provide further comment.
However, Webroot contends the threat from this malware is overblown.
“Flame would be easy to discover for multiple elements of an intrusion defense system, so if a nation-state was behind it, they clearly didn’t plan it well or want it to actually work,” Joe Jaroch, vice president of endpoint solutions engineering at Webroot, told TechNewsWorld.
Something Wicked This Way Comes, We Think
Over the weekend, Iran’s emergency response team published news of an attack it called “Flame” or “Flamer,” McAfee said.
Meanwhile, Hungarian research team CrySys published information about a new piece of malware it called “sKyWIper,” parts of which had been uploaded from Europe. CrySys later said sKyWIper is what Kaspersky called “Flame” and the Iranians call “Flamer.”
Then there are news reports out of Iran that claim a piece of malware called either “Viper” or “Wiper” had infected computers at the country’s oil ministry.
It’s unclear whether all these names refer to the same piece of malware.
Meanwhile, there’s speculation that Flame may be connected to the Stuxnet worm, but again the picture’s murky. Kaspersky claimed at one point that Flame shares many characteristics with Stuxnet and its relative, the Duqu worm, then later said Flame has no major similarities with the other two.
“We don’t see them being related,” Webroot’s Jaroch said. McAfee’s Marcus is not sure yet.
What Does Flame Do?
The worm was launched to systematically collect information on the operations of states in the Middle East, Kaspersky said. However, there doesn’t seem to be any kind of pattern as to who’s being attacked. Victims include individuals, state-related organizations and educational institutions across several countries.
Once a system’s infected, Flame begins sniffing network traffic, taking screenshots, recording audio conversations and intercepting keyboard commands. It then sends all this back to several command and control servers scattered around the world, Kaspersky said. Flame can also collect information about discoverable devices near an infected machine.
The Threat From Flame
Flame has many different libraries for compression and data manipulation, and it implements security algorithms as well as a Lua virtual machine, Kaspersky said. At about 20 MB in size, it is exceptionally large, and it is very sophisticated.
“Yes, it is a highly modular piece of code with many components, but that doesn’t equate to the conventional term of complexity with regard to threats,” Webroot’s Jaroch remarked. Server-side polymorphic malware, which has been around for several years, is “orders of magnitude more complicated.”
Further, while Flame does use differing algorithms, “none of them are challenging,” Jaroch said. They’re “significantly outdated and easily broken automatically by current security technology.”
Although Flame covers several areas that some threats don’t, none of them are unique, Jaroch pointed out. “One of the frequently commented-on aspects of Flame is that it collects the name of every file on the system but even this is far from revolutionary. Most backdoor Trojans have significantly more functionality than this — Rbot, SubSeven and Bifrost, to name a few.”
“Whether sKyWIper is the most complex [malware] ever or not has no bearing on whether or not Iran’s CERT can come up with a remediation tool to remove the infection,” McAfee’s Marcus pointed out. “A full detailed analysis of sKyWIper is of a level of analysis way deeper than is required to come up with remediation tools.”
As for Flame’s complexity, Webroot “automatically developed a solution in 2007 … and it would not be difficult for Iran to develop a solution either in our opinion.”