Sophisticated Flame virus takes malware to a new level, now what?

Flame-map

Last week, the online security world was set back on its heels when leading cybersecurity firms revealed the existence of Flame, new malware with a level of sophistication substantially beyond other worms, trojans, and viruses. While most malware relies on a small set of exploits and tries to target users’ personal information or set up an infected machine as a spam-sending zombie, Flame is like an entire malware suite. It’s composed of an unknown number of plug-in modules that its operators can choose to deploy for everything from scanning a user’s machine and monitoring their network activity to taking screenshots, recording audio, logging keystrokes, and even reaching out to nearby mobile devices using Bluetooth. Like Stuxnet and Duqu before it, Flame seems to be a legitimate cyberweapon — and, once again, the target seems to be Iran.

Security experts will be working a long time to fully analyze Flame, but new details are emerging that reveal just how sophisticated Flame is. Where could Flame have come from and — perhaps more importantly — will the technologies and threats included in Flame migrate to mainstream malware?

Sparking a Flame

The Flame malware is currently known by a few different names: “Flame” seems to be the most common, but some researchers also refer to “Viper” and “SkyWiper.” Iran’s computer security agency calls it “Flamer.”

According to security firms like Kaspersky Labs, the CrySyS Lab at Budapest University of Technology and Economics, and McAfee, there are multiple versions of Flame circulating in the wild. In a simple form, Flame appears as a 900K file, and can propagate via local network shares, shared printer spools, and peripheral devices like USB drives. Once the basic version finds a home in a Windows system, it tries to reach out to a pool of as many as 80 command-and-control servers to download a set of additional modules that extend its functionality. Other versions of Flame are bigger — as much as 6MB — and already include several code modules.

Flame does not try to spread at every opportunity; rather, when Flame infects a new machine, it reports back to its operators, who apparently then make a decision about what Flame should do next. Right now it’s not clear how Flame initially gets a foothold in an organization or network. Speculation suggests it may use “spear-phishing” email messages that trick people into following a link, then exploit browser or mail flaws to install software. But infection could happen other ways, too. Microsoft has released a security advisory about Flame using forged security certificates for Terminal Server, along with a software update to block the exploit. It’s possible Flame is using other, previously unknown exploits as well.

SkyWiper Cloud McAfee

According to McAfee, Flame’s main module alone decompiles to over 650,000 lines of C code, and they expect that to get longer as they continue to decompile examples. These lines represent computer-generated source code reverse-engineered from the executable, not the source code use by Flame’s developers — but it serves as a human-readable starting point for analysis.

As Flame collects data, it is diligent about trying to send it upstream to the malware’s operators. This data can include information scanned from local devices (like files, passwords, and contacts), as well as screenshots, audio, and even information about nearby phones. To phone home, Flame launches compromised versions of Internet Explorer: that way, the connections take place in the machine’s “trusted” zone and are more likely to get past local firewalls and network monitoring.

Databases and modules

A good deal of Flame’s capability stems from its use of local databases and plug-in modules that can extend the malware’s capabilities. Modular construction isn’t quite new — Stuxnet, Duqu, and “TildeD” malware family were also modular — but Flame combines that with highly structured databases stored and accessed via the built-in SQLite database. Another unique feature of Flame is that it uses the Lua scripting language to manage access to the databases, and possibly for other functions as well. Although Lua isn’t exactly uncommon (it’s used to handle plug-ins and other functions for everything from Adobe Lightroom to the audio workstation reason to the protein-folding game Foldit)  it’s certainly a very unusual choice for malware.

Flame also goes to great lengths to obscure itself. Those databases and all other data are encrypted using several different algorithms (including Blowfish, MD5, and MD4), and the software goes to some lengths to hide “interesting” strings from security researchers and antivirus programs. Instead of seeing a function call that’s the computer equivalent to “snoop around this person’s contact list,” researchers initially see what appear to be random characters. It makes Flame that much harder to figure out.

Flame’s modular architecture means that its operators can constantly alter and enhance its functionality — and download new exploits to infected machines whenever they like. So far researchers have identified nearly two dozen Flame modules. The modules haven’t all been figured out, and researchers aren’t assuming they’ve seen the whole range of modules yet. Among Flame’s most interesting modules so far:

Beetlejuice
Taps into a computer’s Bluetooth module and tries to connect to devices near the infected machine. Flame currently seems to target Sony and Nokia devices, but (obviously) the operators can update that functionality at any time. Beetlejuice can also turn the infected machine into a discoverable device, so nearby Bluetooth items check in with it.
Microbe
Records audio. The module tries to list all existing hardware audio sources and select a recording device. An audio recording feature seems like it would be about surveillance of an individual or a particular location, effectively turning any computer with a microphone into a bug planted in a particular area.
Weasel
Reads local disks. Flame can parse through a variety of file formats, including ZIP archives, PDFs, and Microsoft Office documents. Flame also pokes through normally-hidden areas of the operating system looking for notes and other bits of information, and is particularly interested in what users keep on their desktops — since those, presumably, get used often.
Viper
Seems to be one of a few modules that can take screenshots: they seem to be stored in custom file compressed and encrypted formats for later uploading to Flame’s operators.
Suicide
Self-termination routine: when commanded by its operators, Flame can apparently delete itself.

Flame also appears to have one or more modules that look out for antivirus programs, firewalls, and other security software.

How Flame spreads

flame infection vectors kaspersky

Flame uses a number of propagation mechanisms — some of which appear to be taken directly from Stuxnet, Duqu and their ilk: It can create autorun files that try to run the malware as soon as they appear on a computer, and will also create a “junction point” directory with a desktop.ini and LNK files that launch Flame as soon as Windows opens the directory. Both techniques are used by Stuxnet, which initially used the autorun trick, then changed to the LNK technique. Flame may also use other, still-unknown exploits to install itself. Researchers are still looking into it.

One of Flame’s modules also handles propagation. Called Munch, the module runs an internal Web server Flame uses to distribute itself. It responds to seemingly innocuous requests for “view.php” and “wpad.dat” — neither of which would raise an eyebrow of a network administrator. (Munch may also scan local network traffic.) So, only one copy of Flame in a particular network or domain needs to phone home to get new instructions or modules. Other copies can pick up the new material locally without accessing the Internet.

Unlike most malware, Flame does not try to spread itself to as many machines as possible. Instead, what’s notable about Flame is how much trouble it takes to avoid detection. Flame avoids traditional (and quickly patched) exploits like rootkits, takes great care to tuck its files away under innocuous names in difficult-to-scan formats, and avoids using suspicious components that would trigger security software. Unlike Stuxnet — which was essentially discovered when it ran amok and spread too quickly — Flame seems to be about targeting a relatively small number of machines and surveilling them extensively.

The result is that no one really knows how long Flame has been around. Some dates gleaned from Flame’s files seem to point all the way back to 2007 — although those could be fabrications — and a few components Flame refers to have been spotted in the wild as far back as December 2007.

Who made Flame?

espionage spy shutterstock squid media

If one thing is clear, it’s that Flame is not run-of-the-mill malware that could have been developed by a handful of coders in a basement fueled by Red Bull and chatroom boasting. The design and operation of Flame is undoubtedly a well-funded, sustained operation. Some security researchers have speculated Flame represents a multi-million-dollar effort that’s probably the result of at least a few years’ work. In the security world, that almost certainly means it has been created by a nation-state. Although many corporations have the money to pull off an effort like this, they’re far less likely to do so, and even less likely to be able to stay quiet about it.

Flame appears to have been coded in English, but that means almost nothing: a lot of malware coming out of China is also in English. Currently, speculation is focusing on the United States or Israel as potential creators of Flame, particularly since the appearance of Flame coincides with instances of massive data loss in Iran’s oil industry. Speculation has been further fueled by the New York Times reporting the U.S. and Israel jointly developed Stuxnet to cripple Iran’s uranium enrichment efforts.

Implications for mainstream malware

Flame-Virus-feature-square

To date, most malware targeting everyday computer users has relied on achieving a large number of infections as quickly as possible — after all, antivirus vendors catch on fast. Those infections usually try to capture personal info — passwords, credit card numbers, etc. — that can be exploited by (or sold to) cybercriminals. Alternatively, malware might set up infected machines to act as zombies in spamming or malware distribution operations. Sometimes, malware does both.

These operations are typically run by criminal enterprises, but they’re opportunistic. The scammers realize their malware will be quickly wiped off the vast majority of computers they infect, so they try to infect as many as possible, hope for the best, then scamper away and move on to the next thing. Criminal organizations that rely on fraud and identity theft are unlikely to invest resources in developing something as labor-intensive and sophisticated as Flame — particularly since it could take so long to pay off.

However, other types of cybercriminals are undoubtedly paying attention. The apparent success of Flame raises the profile of highly-targeted malware. A low-profile, potentially individualized approach — dubbed an Advanced Persistent Threat in computing circles — turns the traditional malware economy on its head: Instead of trying to generate a small amount of money from as many people as possible, targeted malware would seek large payouts from a handful. It also avoids detection. If malware spreads only when operators tell it to spread, antivirus vendors are unlikely to catch wind of it — or recognize it if they do.

Criminals who aren’t averse to blackmail and extortion will note that Flame seems to have been assembled in part from many off-the-shelf components — including a highly portable scripting language, a public domain database, and widely available encryption techniques. All that helps Flame seem innocuous and just another common part of the ecosystem. Malware inspired by Flame wouldn’t have to be so complicated — especially right out of the gate. Further, as technology advances and tools become more sophisticated, the amount of effort needed to create malware with Flame-like capabilities gets lower all the time.

So will Flame or something like it be testing your virtual locks in the near future? Probably not. But businesses, enterprises, schools, and other organizations should already be taking note: not only are they potential victims in the broad malware universe, but it’s getting easier and easier for malware to come after them specifically. Malware is easy to ignore when it only hits oil production in a country halfway around the world, but when it successfully targets your bank, your employer, or your city’s infrastructure, it may feel like a much bigger problem.

Images: McAfee, Kaspersky, Shutterstock/Squid Media Shutterstock/Ilja Mašík

Computing

Decades-old Apple IIe computer found in dad’s attic, and it still works

A New York law professor went viral last weekend after he discovered an old Apple IIe computer sitting in his dad's attic. In a series of tweets, he showed that the vintage machine still works perfectly fine after 30 years.
Computing

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Computing

Why limit yourself to one OS? Try one of these great virtual machine apps

Buying a new computer just because you want to utilize another operating system isn't necessary. Just use the best virtual machine applications to emulate one OS inside another, no matter what your platform or budget is.
Computing

Windows updates shouldn't cause problems, but if they do, here's how to fix them

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Computing

Having enough RAM is important, but stick to these guidelines to save some money

Although not quite as exciting as processors and graphics cards, RAM is one of the most important parts of your PC. Not having enough can hurt performance. So, how much RAM do you need?
Computing

Don't take your provider's word for it. Here's how to test your internet speed

If you're worried that you aren't getting the most from your internet package, speed tests are a great way to find out what your real connection is capable of. Here are the best internet speed tests available today.
Computing

Logitech’s G MX518 gaming mouse pairs classic looks with all-new tech

Logitech is relaunching one of its most popular classic gaming mice, the MX518. Now called the G MX518, it sports upgraded internals that give it a 16,000 DPI optical sensor and new and improved memory.
Computing

Microsoft could be planning a laptop with foldable screen, hints patent filing

Filed in late 2017 and titled "Bendable device with Display in Movable Connection With Body," the patent filing explains a new mechanism for laptops which can eliminate a hinge and allow the screen to fold shut from the inside,
Deals

From Chromebooks to MacBooks, here are the best laptop deals for February 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Computing

Is AMD's Navi back on track for 2019? Here's everything you need to know

AMD's Navi graphics cards could be available as soon as July 2019 — as long as it's not delayed by stock problems. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles, like Sony's PlayStation 5.
Deals

Here are the best Chromebook deals available in February 2019

Whether you want a compact laptop to enjoy some entertainment on the go, or you need a no-nonsense machine for school or work, we've smoked out the best cheap Chromebook deals -- from full-sized laptops to 2-in-1 convertibles -- that won't…
Computing

RTX might be expensive, but the 16 series could have the best Nvidia Turing GPUs

Set to debut at a step below the RTX 2060 on the price and performance spectrums, the GTX 1660 Ti and its other 16-series brethren could be Nvidia's killer mid-range cards of 2019 — especially with Tensor Core-powered DLSS.
Computing

Ryzen 3000 chips will be powerful, and they might be launched as early as July

AMD's upcoming Ryzen 3000 generation of CPUs could be the most powerful processors we've ever seen, with higher core counts, greater clock speeds, and competitive pricing. Here's what we know so far, based on both leaks and the recent…
Computing

With no plans for merging operating systems, Apple opts to combine apps instead

Apple is working on combining all of the the apps it offers to iPhone, iPad, and Mac users by 2021. App developers will soon be able to build and submit one version of their apps to be used by Apple product users.