Roundup of Flame so far

I hadn’t commented on it before, but last month the Flame malware was discovered by researchers from Kaspersky.  Here’s what we know so far:

  1. Reuters originally reported that it was designed as a cyber weapon to be used against Iran.  However, it wasn’t just computer systems in Iran that were infected with Flame, but several countries throughout the middle east showed a disproportionate number of infections.

    From Reuters:

    Kaspersky researchers said they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.

    Kaspersky's research shows the largest number of infected machines are in Iran, followed by Israel and the Palestinian territories, then Sudan and Syria.

  2. Flame is a big piece of malware, much larger than Stuxnet.  It does a lot more stuff (again quoting Reuters):

    The virus contains about 20 times as much code as Stuxnet, which caused centrifuges to fail at the Iranian enrichment facility it attacked. It has about 100 times as much code as a typical virus designed to steal financial information, said Kaspersky Lab senior researcher Roel Schouwenberg.

  3. Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats. Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading.

    That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, Schouwenberg said. He said that a nation state would have the capability to build such a sophisticated tool, but declined to comment on which countries might do so.

  4. The code in Flame went undetected for years by most A/V software.  The files looked innocuous because they were signed with certificates issued by Microsoft.  From ComputerWorld:

    "Flame is using valid but fake Microsoft certificates to sign the code through a bug in their CA system via Terminal Services," Storms summarized. "So when the code was checked for validity, it properly linked back to the root and was accepted as okay."

  5. The end result: Parts of Flame appeared innocuous because for all intents and purposes, they were signed by Microsoft itself.

    Microsoft addressed the flaw by revoking three certificates, and issuing an update to all versions of Windows that added those certificates to the revocation list.

    The reason Flame wasn’t detected was because it spoofed legitimate files.  Microsoft revoked the certificates and explained in a blog post that this occurred because the malware authors used a hash collision technique; I can’t explain it well (although I know what hash collisions are) but basically an older algorithm was exploited and the writers of Flame spent a good deal of time looking for this in order to use it.

  6. While Flame was only recently discovered, other companies reported that parts of it had been in the wild for years.  I haven’t figured out yet whether or not it was benign code or malicious even back then.

  7. The LA Times reported that shortly after Flame started popping up in the news, the controllers of it issued a command that attempts to erase it from infected systems:

    After news raced across the world last week of the powerful and intrusive Flame virus, the unknown attackers behind the cyber threat have tried to wipe it from infected computers.

  8. Purging the virus is believed to be a bid to prevent victims from finding out their data was stolen. The massive and complex virus is in the hands of computer experts who are analyzing the code, trying to figure out how to protect computers from the malware.

    “They’re trying to cover their tracks in any way they can,” said Vikram Thakur, principal security response manager at Symantec, a computer security company. “What’s very interesting is that they were willing to take the risk of connecting to the servers, which could be watched.”

    “They threw caution to the wind,” Thakur said.

  9. This past Monday Kaspersky updated its finding saying that Flame and Stuxnet share code. If true, that means that the authors of Stuxnet are the same. From Digital Trends:

    When word of the sophisticated Flame cyberweapon first came out a couple weeks ago, Russian security firm Kaspersky indicated that despite some superficial similarities, there was no indication Flame had much of anything in common with Stuxnet, a software weapon that specifically targeted Iran’s uranium-enrichment efforts and then escaped into the wild. Now, Kaspersky says it was wrong: The firm claims to have uncovered shared code that indicate the creators of Flame and Stuxnet at least worked together — and may even be the same people.

    The evidence? Back when Stuxnet was roaming free, Kaspersky’s automated systems picked up on something that looked like a Stuxnet variant. When Kaspersky’s staff initially looked at it, they couldn’t really understand why their systems thought it was Stuxnet, assumed it was an error, and reclassified it under the name “Tocy.a.” When Flame, appeared, however, Kaspersky went back to look for things that might link Flame to Stuxnet — and, lo and behold, there the Tocy.a variant that didn’t make any sense. In light of Flame, Kaspsersky says Tocy.a actually makes more sense: it’s an early version of a plug-in module for Flame that implements what (at the time) was a zero-day privilege escalation exploit in Windows. Tocy.a wandered into Kaspersky’s systems all the way back in October 2010, and contains code that can be traced to 2009.

    If Kaspersky’s analysis is correct, it would indicate the “Flame platform” was already up and running by the time the original Stuxnet was created and set loose back in early-to-mid 2009. The approximate dating is possible because the proto-Flame code only appears in the first version of the Stuxnet worm: It vanished from two subsequent versions of Stuxnet that appeared in 2010.

    If true, there are three possibilities:

    a) Flame was written first and the authors of Stuxnet (perhaps two different teams but working the same department) borrowed pieces from it.  This is the most likely possibility.

    b) Stuxnet was written first and deployed later, but Flame borrowed pieces from it and deployed it first.

    c) The original modules were written by a different team altogether, and the writers of Flame and Stuxnet each borrowed from a common repository.

First Stuxnet is discovered, then Flame. But it looks like Flame was first.  If so, then why did it take so long to get detected?

One thing is clear – whoever is behind these efforts will go to more effort next time to ensure that their next generation is not so easily discovered.

Skip to main content