Fighting the Flames

The most sophisticated malware, since last time.


 
I work closely with the Marketing and PR folks here at Trend Micro and I know that whenever we have a significant or noteworthy piece of research to break, their first question will be, “Can we say is the first, biggest, worst, etc?“. In almost every case, the answer is “No“, in fact I can only think of one exception in recent years.
 
I’m sure the situation is similar at the other global security vendors, but it appears that some are less stoic in their resistance of the headline lure. Eugene Kaspersky, who appeared to relish being called a “glorious global megatroll” last week, is certainly renowned for courting controversy.
 
Last weekend, the news began to break about a complex piece of malware known variously as Flame/Flamer/SkyWiper which was immediately being touted as the most sophisticated malware ever. The ITU at the UN released what they describe asthe most serious warning we have ever put out”, (although not apparently serious enough to feature on their web site). This claim was supported by statements that Flame is “20 times more complicated [than Stuxnet]. It will take us 10 years to fully understand everything“, a top-of-the-head metric that seems a little shaky to me. Symantec have even likened it to “an atomic weapon.
 
I was called by a journalist yesterday whose first question to me was “So what makes this threat so unique?“, and honestly it was tough to find an answer with which I was comfortable. That, combined with the global hyperbole-fest meant that I woke up this morning compelled to write this post.
 
The functionalities and characteristics that are reported about Flame are things such as its precise geographical targeting, the modular nature of the code (different functional modules can be “plugged in” to an infected device as required), its ability to use local hardware such as microphones, log keystrokes and record on screen activity. The fact that it is targeted in the Middle East and that it uses a specific autorun vulnerability are apparently enough to justify making links between Flame and Stuxnet!
 
Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye, Carberp is another great example of modular information stealing Trojan. In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT. Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new, have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics.
 
So what are we left with? A big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself. The malware uses Lua, that’s unique in malware terms I guess but not something that elevates the inherent risk. Flame does have Bluetooth functionality though… Oh and in the interest of semantics, it’s not a weapon, it’s a tool.
 
Interestingly, just before the news about Flame hit the wires, the ITU at the UN had a press release that they have teamed up with a security vendor for their Telecom World 2012 event, incredible timing huh?
 

13 thoughts on “Fighting the Flames

  1. Pingback: Will GCHQ give more serious guidance than the FCC? | E RADAR | Smarter business online

  2. Pingback: Aslak Borgersrud: røyklegging · – Hva om vi kaller den Sjakalen?

  3. Pingback: TechAxcess » A CLoser Look At the Flame

  4. Pingback: Cyberguerre: faut-il craindre les dommages collatéraux? | news-infos.com

  5. Pingback: Cyberguerre: faut-il craindre les dommages collatéraux? | High-Tech

  6. Kai Roer

    This world is filled with security specialists craving for time in the spotlight, so I am not surprised about the fuzz created. Combine it with a slow periode in general news, and BAM! here we go again.
    The important thing about Flame though, is the general awareness it creates through the media fuzz. Most people not in security do not know/understand/care about these kinds of attacks. They actually also believe their AV-software is stopping such things (before the signature exist).

    Reply
  7. Maricone

    If this Flame thing turned out to be harmless or at least similar to all other malware – no major media would talk about it. Not only Kaspersky gave comments on it. But thousands of independant security experts, including hacker #1 – Kevin Mitnick for CNN. So this post sounds like bull..it.

    Reply
  8. Pingback: Críticas entre compañías antivirus por el nuevo super-virus Flame | MundoPC.NET

  9. Pingback: Flame is a fizzle, not a fire: Trend Micro

  10. Pingback: Flame is a fizzle, not a fire: Trend Micro | Network Security Software

  11. Pingback: Update on FLAME | Virus / malware / hacking / security news

  12. Pingback: Combatiendo a Flame » blog.trendmicro.es

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>