Massive, Advanced Cyberthreat Uncovered

Malware Known as Flame is 20 Times the Size of Stuxnet

By , May 30, 2012.
Massive, Advanced Cyberthreat Uncovered

Highly sophisticated malware being used to spy on several countries, mostly in the Middle East, that has been around for more than two years has been discovered by Kaspersky Lab, the research arm of the Russian security products company announced May 28.

See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach

Detected by researchers as Worm.Win32.Flame - or more simply, Flame - it's designed to carry out cyber espionage and steal valuable information, including, but not limited to, computer display contents, information about targeted systems, stored files, contact data and audio conversations, Kaspersky Lab says.

Kaspersky Lab's chief security expert, Alex Gostev, characterizes Flame as a super-cyberweapon such as Stuxnet and Duqu, and in his blog contends it's "one of the most complex threats ever discovered. It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

Gostev identifies Flame's targets as: Iran, Israel and/or Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. Nearly half of the 382 Flame attacks identified by Gostev targeted facilities in Iran. Roger Thompson, chief emerging threats researcher for ICSA Labs, also identifies organizations in Hungary as being targeted.

From Kaspersky's initial analysis, Gostev says, the creators of Flame are looking for any kind of intelligence: e-mails, documents, messages, discussions inside sensitive locations, "pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

There doesn't seem to by a visible pattern in the type of organization Flame targets, he says, adding that victims include individuals, government-related organizations and educational institutions.

Thompson, in his blog, says Flame portends ill for its victims. "One of the tenets of computer security is that if a skilled hacker is in your networks for long enough, you can never get them out again, because they know more about your network than you do, and these hackers , were skilled... highly skilled," he says.

Unknown Originator

No one knows who's behind Flame, but because of its size and sophistication, a nation-state is suspected. "This code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives," according to a Symantec Security Response blog post. "Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry."

Symantec says Flamer, as it calls the malware, is likely the same threat recently described by the Iranian national computer emergency response team.

Flame is huge: It's about 20 times larger than Stuxnet, the malware that infected Iranian nuclear centrifuges in 2010. But Gostev says Flame's architecture is different from the framework behind Stuxnet and Duqu.

Flame contains nearly 20 megabytes when fully deployed, making it extremely difficult to analyze. Why so big? Flame includes many different libraries, such as for compression and database manipulation, and it contains a virtual machine based on the Lua scripting programming language.

Its massive size makes Flame different from other malware tool kits. Gostev says modern malware generally is small and written in compact programming languages, which makes it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame. Flame also can record sound, which is fairly new, he says. Though other malware can record sound, he says, the key with Flame is its completeness: the ability to steal data in a wide variety of ways.

Flame can use Bluetooth devices, collecting information about discoverable devices near the infected machine. Depending on the configuration, Flame can turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Authentication: Going Beyond the User

Stronger authentication is just a piece of the fraud-prevention puzzle. Emphasis is now being...

Latest Tweets and Mentions

ARTICLE Authentication: Going Beyond the User

Stronger authentication is just a piece of the fraud-prevention puzzle. Emphasis is now being...

The ISMG Network