The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse.
Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have been in circulation for at least two years (and perhaps much longer) but only hit the news on Monday following a series of announcements by security groups and antivirus firms.
Iran’s National Computer Emergency Response Team published a warning about the data-stealing virus, promising an antidote: so far the malware has completely evaded detection by commercial antivirus scanners. Iranian researchers described the malware as a “close relation” to Stuxnet, the famously well-engineered nasty that sabotaged industrial control systems linked to Iran’s controversial nuclear programme.
Kaspersky Lab said the UN International Telecommunication Union had alerted it to Flame and asked for help analysing the malware, which was believed to be wiping information from Middle Eastern computers. Kaspersky said the unusually large virus has been spreading since March 2010.
However, Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) fear Flame may have been active for somewhere between 5 to 8 years. The Budapest-based lab published a preliminary analysis [PDF] of the malware, which it dubbed sKyWIper – the CrySys Lab realised the complex piece of malicious software that they had been analysing for weeks was clearly a build of Flame.
Other security firms have since waded in with their own observations and early analysis; confusingly, other researchers are calling the threat either Viper or Flamer.
There’s general consensus that Flame is the most elaborate malware threat ever uncovered, and that it was almost certainly developed by a state-sponsored team. The Hungarian team concludes that the malware was “developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities”.
How Flame spread its digital inferno
The 20MB virus compromises Windows-based PCs and stealthily installs itself before stealing data and passwords, taking screenshots and surreptitiously turning on microphones to record audio conversations. The malware sets up a backdoor and opens encrypted channels to command-and-control (C&C) servers using SSL protocols.
Flame shares some characteristics with the early Duqu and Stuxnet worms, but also has a number of differences.
Like Stuxnet and Duqu, Flame malware can spread via USB sticks and across insecure networks. All three infect machines running Microsoft’s operating system. Flame contains exploits for known and fixed vulnerabilities, such as the print spooler’s remote code execution bug and the .lnk security hole first found in Stuxnet.
However, Flame is much more complex than either Stuxnet or Duqu: it is made up of attack-launching modules that can be swapped in and out as required for a particular job; it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library.
It also executes a small set of scripts written in Lua – a programming language favoured by computer game makers such as Rovio for Birds. These direct the operation of the attack modules.
Several Flame files claim to be Microsoft Windows components, but none are signed with a valid (or even possibly stolen) private key, as it was the case with Duqu and Stuxnet.
Both Duqu and Stuxnet targeted industrial control systems, while Flame is far more promiscuous. Crucially, analysis suggests Stuxnet and Duqu use the same building blocks (a common platform most likely used by the same programming team) and that this is not the case with Flame.
“The threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex,” McAfee notes, hypothesising that Flame might be a “parallel project” to Stuxnet and Duqu.
Worm rears head after attacks on oil field systems
Over recent weeks, prior to Monday’s announcement about the malware, Iran reported intensified cyber-attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks. This may be linked to a decision last month to disconnect the main oil export terminal on Kharg Island in the Persian Gulf following a computer virus infection.
“Evidently, the threat has been developed over many years, possibly by a large group or dedicated team,” McAfee notes.
“We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.”
Symantec agrees with its rival’s assessments that Flame was developed by a team, concluding that the “code was not written by a single individual but by an organised well-funded group of personnel with directives”. Unlike Stuxnet, Flame is not particularly targeted and has spread to civilians’ systems in many countries.
“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear,” Symantec said.
“However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.”
David Harley, senior researcher at ESET, agreed with McAfee that Flame and Stuxnet are more different than they are similar.
“Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area,” Harley said. “While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be purely speculative right now, as the code seems very different.”
Other than saying it’s likely the work of state-sponsored black hat coders, possibly in the employ of an intelligence agency, nobody is speculating who is behind Flame. A lot of the same caveats apply to Stuxnet, but circumstantial evidence does point towards some sort of joint Israeli-US operation.
Even though the full capabilities of Flame, much less who created it and why, remain a bit of a mystery, security firms can at least add detection for the malware now that samples are circulating among researchers.
“Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It’s code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all,” writes Graham Cluley, a senior security consultant at Sophos. “Fortunately, complete code analysis is not necessary to add detection.”