Beyond Stuxnet: massively complex Flame malware ups ante for cyberwar

Another cybersecurity company, Symantec, reported Flame popping up in Austria, Russia, Hong Kong, and the United Arab Emirates, too. Its researchers cited the "modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the project over a long period of time; very likely along with a different set of individuals using the malware."

In tech-speak, Flame acts like a "worm," meaning it spreads by itself without the need for human intervention, opening up clandestine channels for moving stolen data out of the network back to its handlers and receiving updates and new spy modules that will help keep it effective for years.

Symantec reported that Flame's software allows its authors to "change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers." 

Flame was only discovered by experts at Kaspersky Labs when they were called in by the International Telecommunication Union (ITU) to look into another still unknown, destructive malware program that had deleted data on computers in Western Asia. Kaspersky then discovered previously unrecognized Flame files, which had been sitting in Kaspersky's own databases for years.

Kaspersky says there's little doubt a nation-state built Flame. Not only is it enormously complex, but its focus is on espionage instead of the quick payoff typical of operations by cybercriminals.

One of the ITU partners in the investigation agrees with that assessment. CrySyS Lab, based at Budapest University of Technology and Economics in Hungary, released its own analysis of Flame, which it calls "sKyWIper." 

"The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," CrySys concludes. It is "certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found."

Flame may, in fact, be related to Stuxnet and another famous malware program known as Duqu, which experts say were probably developed by the same government team, although they say that's only a guess based on a couple of superficial technical similarities among Flame and others. 

“We would position Flame as a project running parallel to Stuxnet and DuQu,” Kaspersky Labs said in its blog post Monday, suggesting that Flame would be a fallback in case Duqu was ever found.

For now, researchers acknowledge that much of Flame remains a mystery – as do parts of Stuxnet. Buried inside Stuxnet, for example, the file name Myrtus continues to provoke speculation.

Likewise, buried deep in Flame's code are file names that include: Boost, flame, flask, Jimmy, munch, snack, spotter, transport, euphoria, headache. Add to that list an entire barnyard of other cryptic file names buried even deeper: Gator, goat, frog, microbe, weasel, and Beetlejuice.

"We cannot conclude at this early stage that this thing [Flame] is designed strictly for espionage," says John Bumgarner, research director for the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. "There's a likelihood it has other components to it that might have been designed to conduct sabotage. We just don't know yet what it can do."

Previous

1 | 2