Analysis Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code.
The cyber-espionage toolkit – reckoned to have been in circulation for at least two years and possibly much longer – created a fire-storm of publicity after Iranian authorities published a stark warning about the virus on Monday.
On the same day, antivirus experts at Kaspersky Labs and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who had been independently working on analysing the same malware, published their own preliminary analyses.
The Kaspersky experts had been called in by the International Telecommunication Union, which wanted to crack the riddle of a mystery Trojan outbreak that was wiping data off compromised machines in the Middle East.
Flame, which comes with a complex variety of libraries and swappable modules, weighs in at a monster (arguably bloated) 20MB. That's about 40 times larger than Stuxnet, a heavyweight itself by malware standards.
But size is far less important than how many systems it has infected and what damage it causes.
Who's on the hit-list?
Estimates from Kaspersky (here) suggest Flame has only infected 1,000 Windows-powered computers almost exclusively across the Middle East in countries including Iran, Israel and Syria, though it has been found as far down as Sudan in north Africa.
Compromised targets include governmental organisations, educational institutions and home users. Circumstantial evidence suggests that the data-stealing malware infected systems at Iran's main oil export terminal on Kharg Island in the Persian Gulf last month, prompting a decision to disconnect systems there. Flame may also have infected the computers of high-ranking officials, causing a "massive" data loss, unconfirmed reports suggest.
Iranian authorities, who claim to have developed an antidote to Flame, are pointing the finger of blame towards Israel, suggesting the encryption scheme used by the worm is characteristic of those built by Israeli malware writers. The encryption link is tenuous at best.
Nonetheless the Iranian angle adds intrigue, especially in light of the Kharg Island infection. Yet a sober look at the malware suggests its spread is modest and its actions on compromised systems are standard fare for modern viruses, contrary to reports earlier this week.
Game changer? Maybe not
Rather than redefining cyberwar and cyberespionage, as Kasperky researchers initially claimed amid Iranian warnings that the malware was "a close relation to the Stuxnet and Duqu targeted attacks", Flame is bloated and overhyped, according to rival security vendors.
Flame is a precise attack toolkit rather than a general-purpose cyber-weapon, the argument goes. It hasn't spread very far and might well be restricted to systems administrators of Middle East governments.
"While it really doesn't do anything we haven't seen before in other malware attacks — what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system," Patrik Runald of Websense explains.
"Also, Flame has been operating under the radar for at least two years, which counter-intuitively may partially be attributed to its large size."
My dad's botnet is bigger than yours
By comparison to the 1,000-or-so systems hit by Flame, the Flashback Trojan infected 600,000 Mac OS X computers earlier this year and created the first botnet on Apple machines in the process.
The DNSChanger Trojan, linked to click-fraud and scareware scams, compromised four million Windows machines prior to a takedown operation in March.
The infamous Conficker worm hit upwards of 9 million systems, forcing the disconnection of systems at Greater Manchester Police for three days while also causing disruption at a hospital and the local council, and even managed to infiltrate the Houses of Parliament.
A run of Windows worms – Sasser, Nimda and Code Red – caused network congestion and comparable disruption when they appeared in separate incidents between 1999 and 2004. Viruses that spread by email attachments – such as the Love Bug, SoBig and Anna Kournikova nasties – brought mail servers and inboxes to their knees.
Banking Trojans created using the ZeuS or SpyEye toolkits have resulted in massive losses to banks and small businesses while infecting hundreds of thousands of systems.
Flame, on the other hand, has only infected hundreds of PCs. The malware is clearly designed for information-gathering and espionage but, again contrary to early reports, it isn't doing anything much out of the ordinary from a technical perspective.
The malware infects computers running Microsoft's operating system, and stealthily installs itself before stealing information, logging keystrokes, sniffing network traffic and capturing screenshots. It can also surreptitiously turn on microphones to record audio conversations, and then uploads all of this data to remote command-and-control servers.
Flame is built with many interlinked modules and is capable of handling a complex mix of remote instructions. Dozens of pieces of malware or malware frameworks infecting millions of PCs bundle similar capabilities.
Slurps info from Bluetooth kit
When Bluetooth hardware is available, Flame collects information about discoverable devices near the infected machine.
Only the Bluetooth activity in this list is in any way remarkable, says PandaLabs.
Another curious and somewhat innovative feature of the malware is its ability to turn its worm-like spreading functionality on and off.
"Even though it is a worm, its spreading mechanisms are disabled. It looks like whoever is behind it can activate that feature when needed," explains Luis Corrons, technical director of PandaLabs.
The malware also bundles clean-up routines designed to purge it from systems that have been compromised.
"There seems to be a module named 'browse32' that's designed to search for all evidence of compromise (eg, malware components, screenshots, stolen data, breadcrumbs, etc) and carefully remove them," Gunter Ollmann, VP of Research at Damballa explains.
"While many malware families employ a clean-up capability to hide the initial infection, few include the capability of removing all evidence on the host (beyond trashing the entire computer). This, to my mind, is more reflective of a tool set designed for human interactive control — ie, for targeted attacks."