Flame Malware Fascinates Antivirus Researchers, Conspiracy Theorists - Security - News & Reviews - eWeek.com | eWeek

The Murky Origins of Flame

The Murky Origins of Flame
Verfasst von
Brian Prince
Brian Prince
Jun 4, 2012
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren


The Murky Origins of Flame

1

Flame, also known by the names Flamer and Skywiper, was at first widely believed to have initially appeared in 2010. However, evidence has mounted that the malware was in existence before then. Kaspersky Lab for example has found that some domains used by Flame for command and control (C&C) were registered as early as 2008. In addition, researchers with the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics have said the main component of the malware had been observed in the wild in 2007.


The Flame Spreads

2

Flame propagates in a number of ways. For example, it spreads across networks using stolen credentials as well as the Microsoft Windows Print Spooler Service remote-code-execution vulnerability also exploited by Stuxnet. It can also spread via removable media using a specially crafted autorun.inf file, as well as the Windows shortcut LNK/PIF file execution vulnerability (CVE-2010-2568), which are both also used by Stuxnet.


What is Flame and What Does it Do?

3

Flame’s main purpose is to conduct cyber-espionage. Kaspersky Lab describes the malware as a backdoor Trojan with worm-like features and modules that enable a variety of capabilities, ranging from the ability to record audio to the ability to take screenshots and capture keyboard activity and network traffic. Once on an infected system, Flame can spread to other systems over a local network or via USB stick.


Advertisement

Flame vs. Stuxnet and Duqu

4

There has been much speculation about whether or not the Flame malware is related to Stuxnet and Duqu, particularly due to the high percentage of Flame infections in Iran. Flame does use some of the same vulnerabilities exploited by Stuxnet, namely MS10-046 and MS10-061, which have both been patched by Microsoft. However, there are also notably differences. For example, Kaspersky Lab reports that while all the Duqu C&C proxies were CentOS Linux hosts, all of the known Flame C&Cs are running Ubuntu. Furthermore, Stuxnet was created with specific programming meant to sabotage centrifuges, whereas Flame seems to have been meant for gathering information.


The Microsoft Certificate Connection

5

Microsoft recently revealed that components of the Flame malware were signed with a certificate that linked to the Microsoft Enforced Licensing Intermediate PCA certificate authority and, ultimately, to the Microsoft Root Authority. According to Microsoft, this code-signing certificate came by way of the Terminal Server Licensing Service the company operates to issue certificates to customers for ancillary PKI-based functions in their enterprise. Because such a certificate could allow attackers to sign code that validates it as having been produced by Microsoft, the company issued an update to address the situation.


Advertisement

The Use of the Lua Programming Language

6

Lua is a lightweight multi-paradigm programming language common in video games. Lua is also used in NMAP (Network Mapper), a well-known network mapping and testing tool. While some say the use of Lua is one of the things that makes the virus interesting and sophisticated, others say its presence indicates the malware may be the work of amateurs and not a nation-state. The top-level Lua scripts are broken up into several categories, including: ATTACKOP (for attacking another machine and moving onto it), CRUISE (credential stealer) and CASafety (checks for antivirus software).


BeetleJuice Is Not Just a Movie

7

The Bluetooth spying functionality in Flamer is encoded in a module called “BeetleJuice” that scans for all Bluetooth devices in range and then records the details of the device, such as its identity and specifications. Then the malware configures itself as a Bluetooth beacon. These capabilities could potentially be leveraged by the attackers in an effort to eavesdrop on Bluetooth devices or perform other acts. For example, according to Symantec, with the Bluetooth beacon turned on and the details of a particular compromised device available in the description field, it is “straightforward” for the attacker to identify the physical location of a W32.Flamer compromised computer or device.


Spy Game

8

A recent report in “The New York Times” laid responsibility for Stuxnet at the door of the United States, claiming that President Barack Obama specifically ordered cyber-attacks against Iran. Given that the majority of the infections of Flame occurred in the Middle East and some of the same vulnerabilities exploited by Stuxnet are used by Flame, there has been speculation that the United States may have been behind Flame as well. No conclusive evidence of this has been made public.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.