Super-powerful Flame worm could take YEARS to dissect

But it shares same scripting tech as Angry Birds


Analysis The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse.

Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have been in circulation for at least two years (and perhaps much longer) but only hit the news on Monday following a series of announcements by security groups and antivirus firms.

Iran's National Computer Emergency Response Team published a warning about the data-stealing virus, promising an antidote: so far the malware has completely evaded detection by commercial antivirus scanners. Iranian researchers described the malware as a "close relation" to Stuxnet, the famously well-engineered nasty that sabotaged industrial control systems linked to Iran's controversial nuclear programme.

Kaspersky Lab said the UN International Telecommunication Union had alerted it to Flame and asked for help analysing the malware, which was believed to be wiping information from Middle Eastern computers. Kaspersky said the unusually large virus has been spreading since March 2010.

However, Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) fear Flame may have been active for somewhere between 5 to 8 years. The Budapest-based lab published a preliminary analysis [PDF] of the malware, which it dubbed sKyWIper - the CrySys Lab realised the complex piece of malicious software that they had been analysing for weeks was clearly a build of Flame.

Other security firms have since waded in with their own observations and early analysis; confusingly, other researchers are calling the threat either Viper or Flamer.

There's general consensus that Flame is the most elaborate malware threat ever uncovered, and that it was almost certainly developed by a state-sponsored team. The Hungarian team concludes that the malware was "developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities".

How Flame spread its digital inferno

The 20MB virus compromises Windows-based PCs and stealthily installs itself before stealing data and passwords, taking screenshots and surreptitiously turning on microphones to record audio conversations. The malware sets up a backdoor and opens encrypted channels to command-and-control (C&C) servers using SSL protocols.

Flame shares some characteristics with the early Duqu and Stuxnet worms, but also has a number of differences.

Like Stuxnet and Duqu, Flame malware can spread via USB sticks and across insecure networks. All three infect machines running Microsoft's operating system. Flame contains exploits for known and fixed vulnerabilities, such as the print spooler's remote code execution bug and the .lnk security hole first found in Stuxnet.

However, Flame is much more complex than either Stuxnet or Duqu: it is made up of attack-launching modules that can be swapped in and out as required for a particular job; it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library.

It also executes a small set of scripts written in Lua - a programming language favoured by computer game makers such as Rovio for Angry Birds. These direct the operation of the attack modules.

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid (or even possibly stolen) private key - unlike the signed files used by Duqu and Stuxnet.

Both Duqu and Stuxnet targeted industrial control systems, while Flame is far more promiscuous. Crucially, analysis suggests that while Stuxnet and Duqu use the same building blocks (a common platform most likely used by the same programming team), Flame is independent of this architecture.

"The threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex," McAfee notes, hypothesising that Flame might be a "parallel project" to Stuxnet and Duqu.

Worm rears head after attacks on oil field systems

Over recent weeks, prior to Monday's announcement about the malware, Iran reported intensified cyber-attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks. This may be linked to a decision last month to disconnect the main oil export terminal on Kharg Island in the Persian Gulf following a computer virus infection.

"Evidently, the threat has been developed over many years, possibly by a large group or dedicated team," McAfee notes.

"We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants."

Symantec agrees with its rival's assessments that Flame was developed by a team, concluding that the "code was not written by a single individual but by an organised well-funded group of personnel with directives". Unlike Stuxnet, Flame is not particularly targeted and has spread to civilians' systems in many countries.

"Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear," Symantec said.

"However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections."

David Harley, senior researcher at ESET, agreed with McAfee that Flame and Stuxnet are more different than they are similar.

"Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area," Harley said. "While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be purely speculative right now, as the code seems very different."

Other than saying it's likely the work of state-sponsored black hat coders, possibly in the employ of an intelligence agency, nobody is speculating who is behind Flame. A lot of the same caveats apply to Stuxnet, but circumstantial evidence does point towards some sort of joint Israeli-US operation.

Even though the full capabilities of Flame, much less who created it and why, remain a bit of a mystery, security firms can at least add detection for the malware now that samples are circulating among researchers.

"Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It's code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all," writes Graham Cluley, a senior security consultant at Sophos. "Fortunately, complete code analysis is not necessary to add detection." ®


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022