Behind the Flame malware (FAQ)

With possible ties to malware targeting Iran, the Flame spying software is seen as the latest cyber espionage attempt from a nation state.

The new Flame malware, that has infected computers in Iran and the Middle East, is named after one of the main modules it uses to spread.
(Credit: Securelist)

The Flame worm that has targeted computers in the Middle East is being called "the most sophisticated cyberweapon yet" by the Kaspersky Lab researchers who discovered it. Lurking on computers for at least five years, the malware has the ability to steal data, eavesdrop on conversations and take screen captures of instant message exchanges, making it dangerous to any victim. But a possible link to malware found on computers in Iran's oil sector, has experts saying that it has to be the work of a nation-state.

CNET spoke to Roel Schouwenberg, senior researcher at Kaspersky, to find out who is behind this malware and how dangerous it really is.

What is Flame?

Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers that can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky Lab blog post.

Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes, gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what each do.

The package of modules comprises of nearly 20 megabytes, over 3000 lines of code and includes libraries for compression, database manipulation, multiple methods of encryption and batch scripting. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee's technical blog post is here.

"Flame is very modular. Basically, a target will get infected with the main component, and then the attackers will only upload modules to the target as they see fit," Schouwenberg said. "We assume that we don't have all the modules that exist in the wild."

How does it spread?

Flame spreads within a network via a USB thumb drive, network shares, or shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It's unclear what the initial point of entry is. "We expect to find a spear phishing email with a 'Zero-Day' exploit," Schouwenberg said.

How long has Flame been around?

"We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that," Schouwenberg said. Kaspersky Lab researchers discovered the malware several weeks ago, after being asked by the United National's International Telecommunication Union to help in uncovering malware dubbed "Wiper", which was stealing and deleting sensitive information on computers in Iran's oil sector.

How does Flame relate to Wiper?

"Wiper could be a Flame module that is uploaded to a target machine, when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental," Schouwenberg said. "So, we have an open mind to Wiper being a Flame plug-in."

Iran's National Computer Emergency Response Team (CERT), which is called "Maher", said that software to detect Flame was sent to Iranian companies at the beginning of May and a removal tool is now ready. Recent incidents of mass data loss in Iran "could be the outcome of some installed module of this threat", CERT said, speculating that attacks on Iran's gas company computers may have been linked to Flame. Officials in Iran also suspect that Wiper and Flame are somehow linked, the Associated Press reported.

Why wasn't Flame discovered earlier?

Whoever created Flame took extreme efforts to write the code so that it would evade detection, for as long as possible. "Clearly, it's another multimillion-dollar project with government funding, so one of the top priorities has been stealth," Schouwenberg said.

While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn't look malicious at first glance. "Flame authors have adopted the concept of hiding in plain sight," he said. Because Flame doesn't use a rootkit technology, free anti-rootkit tools won't be able to detect it. "Finding it is going to be more complicated," said Schouwenberg.

Who created the malware?

It's unclear who wrote and distributed the malware, but Schouwenberg said that researchers believe it was a nation-state, or someone hired by a nation-state, because of the advanced nature of the threat. Just because the code is in English does not mean that an English-speaking country is behind it, Schouwenberg explained, when asked if he thought the US and/or Israel are behind this malware, as is believed with Stuxnet.

Is it related to Stuxnet and Duqu?

Flame shares some characteristics with two previous types of malware that targeted critical infrastructure systems and used the same technology platform; Stuxnet and Duqu. Schouwenberg believes the same entities are behind Flame. For instance, Flame and Stuxnet both spread via USB drive using the "Autorun" method and a .LNK file which triggered an infection when a directory is opened. Flame can also replicate through local networks using a Windows-based shared printer vulnerability that was exploited by Stuxnet, as well.

Kaspersky hasn't uncovered Flame using the vulnerability called "Zero-Days", but since Flame has infected fully patched Windows 7 systems through the network there may be a high-risk that this vulnerability is being exploited. "We are operating under the assumption right now that, basically, Flame and Stuxnet were two parallel projects commissioned by the same nation-sate or states. The Stuxnet platform was created by one team or company and Flame by another team or company, and both teams had access to this common set of exploits," Schouwenberg.

Flame is 20 times larger than Stuxnet, which was previously believed to be the most sophisticated piece of malware ever.

How serious is this?

Kaspersky researchers believe that there is much more to Flame, than they know now.

"We operate on the assumption that there are other modules we don't know about, which could elevate Flame from cyber espionage to cyber sabotage," Schouwenberg said. "Given the conservative method of spreading, we assume that the vast majority of infections we are seeing are intended targets... The amount of manpower required to maintain this operation is very significant. Flame uses more than 80 Command and Control servers, which we haven't seen before. This shows the amount of resources committed to this project."

Who is being targeted with Flame?

The highest proportion of infections are in Iran, followed by "Israel/Palestine", Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec said that the primary targets are in the Palestinian West Bank, Hungary, Iran and Lebanon.

"With Flame, we haven't been able to say what binds all the targets together, other than that they are in the same geographical region," Schouwenberg said. "We are trying to work with incident response teams globally to contact these victims and find out more, but, right now, we don't know what type of data has been stolen." Victims include educational institutions, state-related organizations and individuals.

Here are the countries with the most Flame infections, discovered by Kaspersky.
(Credit: Securelist)

How widespread is Flame?

So far, there are only estimates as to how widespread Flame infections are. Kaspersky researchers have seen between 300 and 400 infections of computers, but researchers speculate that there could be more than 1000 infected computers worldwide. Though most of the infections are in Iran and other countries in the Middle East, there have been a few in the US, and Schouwenberg said that those could be due to someone in the Middle East using a virtual private network based in the US to circumvent internet filters in that country, as opposed to genuine infections on US-based computers.

"We're looking into sink-holing [taking control of] some of the Command and Control servers and getting data from there, to have a more accurate reflection of infections," Schouwenberg said.

Does it affect me?

Most major anti-virus software now detect Flame, so updating your security software should be sufficient to protect computers. Kaspersky has also offered tips for manually removing the malware. It should be noted that the malware is not designed to steal financial data or targeted at consumers.

What does all this mean?

While Flame represents another sophisticated cyber espionage attack, it's not exactly a harbinger of cyber war. Countries have been conducting cyber espionage for years, but it wasn't until Stuxnet and its links to the US and Israel that a Western country was identified by researchers. Stuxnet is believed to have been designed to sabotage Iran's nuclear program, after diplomatic efforts had failed. That said, Flame does show that sophisticated attacks on critical infrastructure are happening and succeeding.

"The good news is that, like Stuxnet, Flame appears to be highly targeted," Eric Byres, chief technology officer and co-founder of Tofino Industrial Security, wrote in a blog post. "But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware."

"You could call it military-grade malware, which is obviously a class above (other malware) and generally, these are covert operations, so remaining stealth is top-most priority," Schouwenberg said. "In the end, it was anti-malware that found this type of attack."


Add Your Comment


Be the first to comment on this story!

Post comment as

Sponsored Links

Recently Viewed Products