'Flame' malware may be less troublesome than Windows

'Super cyberweapon' has been around five years without causing major headaches

The malware known as 'Flame,' that was described by the analysts who discovered it as a super-cyberweapon, is actually a tool for cyberespionage that has been running inside Iranian data centers and labs for as long as five years without being discovered or causing significant damage.

Contrast that with Stuxnet, an app designed to create damage and mayhem, which still hung around high-security facilities for a year or more, futzing with the speeds and sequencing of centrifuges refining nuclear fuel into weapons-grade material.

Contrast it, for that matter, with Windows, which causes huge disruptions every time a new version, a new Service Pack or even a significant set of new patches comes out (let alone with Windows-based malware helps someone steal data from usually not-so-secret installations) and you have a good case for stealth as a design goal.

Flame is no micro-app with little potential for bugs or mis-coding, either.

Fully installed, Flame takes up 20MB of disk space, uses SQLite databases and code generated on the fly using the Lua programming language, according to Ars Technica.

Kaspersky Labs discovered Flame a few weeks ago, but released a report on it only Monday, naming the threat Flame for a module within the package and estimating it could have taken as long as two years to spread to the thousand or so machines it infected without detection.

Hungary-based CrySys Labs, which calls the malware skyWiper, estimates it may have been around as long as five years.

The interesting thing (ok, another interesting thing) about Flame is that it is designed to use any resource available to swipe information from disk, keyboard or even conversation near an infected computer.

"It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB and system processes," according to CrySys' own report on the malware.

One module turns on an infected machine's microphone to record Skype converstations; another scans for names and contact lists in Bluetooth devices, a third takes screenshots of what its user is doing every minute or so, sending the images and data home via SSL-encrypted connection to its control servers.

It can also sniff network traffic and try to expand its toehold by cracking the encryption and passwords protecting other machines on the net.

Flame uses as many as 80 domains to contact a dozen or so domains housing its command-and-control servers, according to Ars Technica.

Symantec's report calls Flame "highly sophisticated and discreet" in operation, rarely doing anything overt to advertise its presence. One exception, Symantec suggested, is that Flame is the same software that caused a loss of data during an attack on the Iranian Oil Ministry, according to Iran's own emergency cyber-response teams.

Security company Webroot claims to have detected Flame in 2007, but didn't react because "the code was not particularly menacing," according to the San Jose Mercury News.

Flame uses the same weakness in Windows that Duqu exploits, making it possible the two were built by the same sources, Kaspersky reported.

All in all, Flame is the kind of major software project that could only be conceived or completed by a large sophisticated organization, according to Kaspersky's report.

Kaspersky's theory is that there were at least two groups of programmers, who may or may not have overlapped with the malware writers who coded Stuxnet and Duqu.

The Flame team was at least as large and capable as those who wrote the last two super cybersecurity threats: professional groups whose coders have a clear idea of their goal, plenty of leeway to experiment with unusual coding or data-collection approaches and confidence that the end result would have few quality, performance or interoperability problems – not the kind of work typically done by random collections of hackers in East European sweatshops.

The need for their code to act secretly provided an extra incentive to have it run correctly and to avoid causing any undue delays in either network or workstation performance, CrySys and Kaspersky reports concluded.

If only Windows installed, distributed its patches and functioned as flawlessly as that.

Maybe it's time for Microsoft to add another function to the unsustainably long list it already is paring down for the final release of Windows 8: Stealth installs.

If it had to run more like flame to keep from being discovered and eliminated, Windows might have to learn a lot better manners than anyone has so far been able to teach it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies