Flame worm one of the most complex threats ever discovered

Posted by   Virus Bulletin on   May 30, 2012

Malware possibly used for cyber-espionage.

The jury is out on whether 'Flame' (also known as 'Flamer' or 'Skywiper') is 'the most lethal cyberweapon to date' as some have claimed, or just a highly complex and sophisticated piece of malware. But simply from looking at the volume of security vendors' blog posts dedicated to the malware since its discovery this week, it is clear that Flame is far from ordinary.

One thing we do know is that there is a lot that isn't known yet. Because of both its size - when fully deployed, it is almost 20MB - and its complexity, researchers expect the full analysis to take several months at least.

What is known is that Flame is a modular piece of malware that has worm-like features, which allows it to spread on a local network. The use of modules is not unique to Flame: prevalent trojans such as ZeuS and SpyEye allow for the use of modules or plug-ins. However, whereas the latter kinds of malware are used to target the masses (stealing online banking details, sending spam), Flame's capabilities, which include network-sniffing, taking screenshots and recording audio conversations, suggest it is being used for cyber-espionage purposes.

So far, a few hundred infections are known, with victims varying from individuals to state-related organisations. Most of the victims are located in the Middle East: of the few hundred known infections, Iran features most prominently as a location, followed by Israel and Sudan.

The complexity of the malware, the prevalence of infections in Iran, as well as a number of technical features (such as the use of the Lua scripting language), suggest similarities with Stuxnet and Duqu. However, there are many differences too: unlike Stuxnet it does not appear to target SCADAs and the number of infections is probably significantly larger than that of Duqu. It is currently unclear whether the malware uses any zero-day exploits.

It is possible that Flame was developed by the same group that developed Stuxnet and Duqu, though likely as a parallel project. Given the location of the infections and the fact that developing something like Flame would require huge resources, many believe the governments of one or more rich Western nations are behind the malware. However, as with Duqu and Stuxnet, noone has been able to prove such claims.

While it has been discovered only recently, it is believed that Flame has been around for some time, possibly going back as far as March 2010. Writing about the malware, F-Secure's Mikko Hyppönen said that this is a case where the anti-virus industry has failed.

Virus Bulletin will continue to follow the developments around Flame and report about it on www.virusbtn.com and on our Twitter feed. While complacency is rarely a good idea when it comes to cybercrime, it is worth pointing out that the vast majority of users and organisations are unlikely to be affected by the malware.

Possibly the best introduction to Flame is this set of FAQs at Kaspersky's Securelist blog. Flame was first reported by MAHER, the Iranian CERT, whose report can be found here. A thorough analysis was performed in a report by the Hungarian CrySys lab here (PDF).

Posted on 30 May 2012 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: Fantastic Information and Where to Find it: A guidebook to open-source OT reconnaissance

A VB2019 paper by FireEye researcher Daniel Kapellmann Zafra explained how open source intelligence (OSINT) can be used to learn crucial details of the inner workings of many a system. Today we publish Daniel's paper and the recording of his…

VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in depth

Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution…

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.