Flame FAQ: 11 Facts About Complex Malware

Size of Flame dwarfs existing spyware, keyloggers, and other malware. Drill down for a closer look at the crucial technology and military issues.

The Flame--a.k.a. Flamer, Skywiper (sKyWIper)--malware discovered earlier this month is earning accolades from security researchers for being the largest, most complex piece of attack code ever spotted in the wild.
But whats also remarkable about the
Flame malware
is that although its been infecting PCs since at least 2010, and possibly since 2007, it appears to have been used in only a scant number of highly targeted attacks.
What are the implications of that revelation, and what do we currently know about the malware? Here are 11 related facts:
1) Flames size highlights a powerful malware arsenal.
For starters, Flame wins awards based on its sheer size. The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB, reads a
blog post
from Websense. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. (LUA is the scripting language that was used to build many parts of the malware.)
[ How many unseen attacks are nation-sponsored? Read more at
Flames Big Question: What Else Is Lurking?
]
2) Flame is focused on the Middle East.
According to Symantec, the
most Flame infections were seen
in the Palestinian West Bank, Hungary, Iran, and Lebanon. Interestingly, however, infections have also been reported in Austria, Russia, Hong Kong, and the United Arab Emirates. Security experts said that the infection pattern along with the malwares stealth suggest that it was developed by one or more Western intelligence agencies.
3) Dont expect immediate answers to questions about Flame.
Unraveling Flames inner workings and purpose will take weeks, or more likely, months. Flamer is the largest piece of malware that weve ever analyzed,
said Vikram Thakur
, principal research manager at Symantec Security Response. It could take weeks, if not months, to actually go through the whole thing. This is not least because the malware uses an unprecedented amount of encryption to help disguise its activities.
4) Flame studies installed security products, smartphones, and remote access.
Flames 20-odd modules offer some powerful attack capabilities. One of the Flames components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victims computer, read an analysis of a single Flame module published Wednesday by
BAE Systems
.
The malicious DLL queries a number of the registry entries, it continued. For example, the malware looks to see if various types of security software--Tiny Personal Firewall, Kaspersky Antivirus, as well as various McAfee, Symantec, and ZoneAlarm products--are installed. It also looks for clues about the type of mobile phone the PC owner uses. Finally, it actively looks for any stored usernames and passwords related to a number of well-known FTP, SSH, and Virtual Network Computing clients, as well as
remote-control software
. Revealing credentials for the aforementioned software exposes extra risks such as ability to connect to the compromised system remotely (via VNC) or compromise/infect/deface web servers managed via one of the enlisted FTP client solutions, said BAE.
5) Flame records extensive system information.
According to BAE, the single Flame component it studied can audit almost any service, file, or application installed on the PC. It can also retrieve website cookies, record all services running on the PC, gather a list of all files and directories associated with program files, retrieve the installed version numbers for Outlook Express, Outlook, Microsoft Word, and Internet Explorer, see which USB devices are installed, map the network neighborhood, and retrieve from the Internet cache a list of all URLs visited. In addition, the malware retrieves SMTP/POP3 server information and also account information/credentials for all Microsoft Outlook profiles, said BAE. All that information would give would-be attackers further techniques for attacking the PC or the information it stores.
6) Flame targets the same bugs as Stuxnet and Duqu.
Is Flame related to Duqu or Stuxnet? So far, known vulnerabilities used in this malware are:
MS10-046
and
MS10-061
, said Websense. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks. The first bug involves a vulnerability in the Windows Shell, which enables an attacker to execute arbitrary code. The second bug, in the Print Spooler Service, would likewise allow remote code execution in Windows XP and privilege elevation in other Windows operating systems.
Microsoft patched both vulnerabilities in 2010. But while
Stuxnet and Duqu
also used the vulnerabilities, multiple security experts have cautioned that malware writers tend to emulate each other. Hence thats no proof that theres any direct link between the different malware.
7) Infections remain rare.
The Flame malware has apparently been used only in highly targeted attacks. In fact, Symantec researchers think that
only 1,000
--or perhaps a few thousand--PCs were ever infected by the malware.
8) Flames scale is unique, but its capabilities are not.
Some security experts dont see what all the Flame fuss is about. Espionage attacks aimed at specific geographies or industries are nothing new. Look at LuckyCat, IXESHE, or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom-written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of a modular information-stealing Trojan, said Rik Ferguson, director of security research and communication at Trend Micro, in a
blog post
. In fact, a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT, he said. Complexity of code is also nothing new.
9) Flame C&C servers appear to be offline.
The media attention paid to Flame may have already had repercussions in the form of the command and control (C&C) servers used to issue commands to the malware on infected PCs. Notably, an analysis of one of Flames DLL files--a module for the malware--conducted using the Cuckoo Sandbox malware analysis system found that all the C&Cs seem offline or sinkholed now.
Sinkholing
refers to a technique used by security researchers to redirect botnet communications, thus allowing them to study infections.
10) Flame suggests espionage is ascendant.
While the full extent of Flames capabilities is still being unraveled, pronouncements are already being issued over its impact on the information security landscape. According to James Todd, the European technical lead for FireEye, Flame has done for espionage what Stuxnet did for physical infrastructure.
Flame being in circulation for two years before being detected highlights how businesses must search carefully for any
ongoing breaches they havent detected
. The next big trend in IT security was always going to be cyber-espionage, given the potentially huge rewards for the taking, said Todd, via email. This is particularly true if hackers can infiltrate information relating to policy, patents, intellectual property, and R&D plans. As such, any organization--or nation for that matter--with significant investments in R&D or IP must up the ante on preemptive security before it is too late.
More and more, we see enterprises assuming theyve been compromised, said Rob Rachwald, director of security strategy at Imperva, in a
blog post
.
11) Malware could rewrite military doctrine.
Given the Flame capabilities on display, especially in the wake of Stuxnet, expect to see changes in military circles. Cyberattacks will force adversaries to minimize their electronic productivity,
said Rachwald
. It took nearly a decade to find Osama Bin Laden since he went completely off grid. ... Does this mean that scientists developing weapons will resort to crayons and paper only? Probably not, but today life very likely got a lot harder for scientists working on military projects worldwide.
Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Heres how theyre fighting back. Also in the new, all-digital
Top Federal IT Threats
issue of InformationWeek Government: Why federal efforts to cut IT costs dont go far enough, and how the State Department is enhancing security. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Flame FAQ: 11 Facts About Complex Malware