Flame Malware Origins Remain Murky, but Its Sophistication Is Clear

By Wayne Rash  |  Posted 2012-05-30 Print this article Print

NEWS ANALYSIS: The Flame malware that has been discovered infecting computer systems mainly in the Middle East is raising more questions than answers about its origins. Researchers don’t really know if it's new, if it's actually state-sponsored or where it really came from.

The blogosphere and the nontech media are all abuzz about Flame, the newly exposed malware that is apparently wreaking havoc with Iranian computers. It€™s also creating problems elsewhere in the Middle East, but apparently hasn€™t spread significantly beyond there.

But is Flame really a new threat, or is it simply a newly discovered threat? Or maybe it€™s been around for a while and only seems new to people who haven€™t been paying attention.

What is known about Flame (or Flamer or Skywiper) is that it€™s come to the attention of the International Telecommunications Union€™s cyber-security people. The ITU€™s people put out a report saying it€™s a dangerous piece of malware. What€™s also known is that Flame apparently doesn€™t really do any damage to the systems it infects, but rather collects information and sends it to a series of servers around the world and that those servers send it along to somewhere else.

We also know one other thing: cyber-security experts don€™t agree on whether it€™s a threat, whether it is still operating or whether the whole thing is overblown. Kaspersky Lab, which has close ties to the ITU, is calling Flame the most sophisticated cyber-weapon yet released.

Kaspersky Lab has described Flame is a backdoor Trojan with worm-like features that allow it to propagate on local networks and removable media. It is reportedly capable of taking screenshots, recording audio conversations and intercepting network traffic. On the other hand, security expert Jeffrey Carr thinks the whole thing is overblown. Carr is CEO of cyber-security firm Taia Global.

Carr, in fact, suggests that the most likely source for malware such as Flame is a group of mercenary hacker crews who make a business of stealing anything they can and reselling it to the highest bidder. But is Carr right? Is Kaspersky right? We really don€™t know if anyone is right, but I suspect they€™re all wrong, at least at some level.

One thing we do know is that Flame is sophisticated. It can morph into many forms, rendering many signature-based antivirus packages less effective than they might be. We also know that Flame is extremely complex€”it€™s apparently written in C++, has a number of modules, propagates through a variety of media and can perform a variety of functions. In other words, it€™s the perfect spyware.

There are also suggestions that Flame has actually been around for more than five years, which if true, means that it€™s been operating without many people knowing it even exists€”for a very long time in malware terms. It€™s also not very widespread. The country with the most infections reported is Iran, and even there, the number of infections noted in Carr€™s article is fewer than 200. That€™s not exactly a global nightmare€”at least not yet.

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel