Understanding the Flame Malware

While most Americans enjoyed a long holiday weekend, researchers in the security community were working around the clock to unravel the mysteries of one of the most intimidating pieces of malware code ever found.

Known by the names Flame, Flamer, and sKyWIper, the malware is significantly more complex then either Stuxnet or Duqu — and it appears to be targeting the same part of the world, namely the Middle East.

Preliminary reports from various security researchers indicate that Flame likely is a cyberwarfare weapon designed by a nation-state to conduct highly targeted espionage. Using a modular architecture, the malware is capable of performing a wide variety of malicious functions — including spying on users’ keystrokes, documents, and spoken conversations.

Vikram Thakur, principal research manager at Symantec Security Response, told eSecurity Planet that his firm was tipped off to the existence of Flame by Hungarian research group CrySys (Laboratory of Cryptography and System Security). As it turned out, Symantec already had the Flame malware (known to Symantec as W32.Flamer) in their database as it had been detected using a generic anti-virus signature. “Our telemetry tracked it back at least two years,” Thakur said. “We’re still digging in to see if similar files existed even prior to 2010.”

Dave Marcus, Director of Security Research for McAfee Labs, told eSecurity Planet that Flame shows the characteristics of a targeted attack.

“With targeted attacks like Flamer, they are by nature not prevalent and not spreading out in the field,” Marcus said. “It’s not spreading like spam, it’s very targeted, so we’ve only seen a handful of detections globally.”

While the bulk of all infections are in the Middle East, Marcus noted that he has seen command-and-control activity in other areas of the world. Generally speaking, malware command and control servers are rarely located in the same geographical region where the malware outbreaks are occuring, Marcus noted.

The indications that Flame may have escaped detection for several years is a cause for concern for many security experts.

“To me, the idea that this might have been around for some years is the most alarming aspect of the whole thing,” Roger Thompson, chief emerging threats researcher at ICSA Labs, told eSecurity Planet. “The worst hack is the one you don’t know about. In the fullness of time, it may turn out that this is just a honking great banking Trojan, but it’s incredibly dangerous to have any malicious code running around in your system, because it’s no longer your system — it’s theirs.”

Complex and Scalable Code

Although it is still early days in the full analysis of Flame, one thing is clear -– the codebase is massive.

“Flamer is the largest piece of malware that we’ve ever analyzed,” said Symantec’s Thakur. “It could take weeks if not months to actually go through the whole thing.”

McAfee’s Marcus noted that most of the malware he encounters is in the 1 MB to 3 MB range, whereas Flame is 20 MB or more.

“You’re literally talking about an order of complexity that is far greater than anything we have run into in a while,” Marcus said.

Flame has an architecture that implies the original design intent was to ensure modular scalability, noted Thakur: “They used a lot of different types of encryption and coding techniques and they also have a local database built in.”

With its local database, Flame could potentially store information taken from devices not connected to the Internet.

“If the worm is able to make it onto a device that is not on the Internet, it can store all the data in the database which can then be transferred to a portable device and then moved off to a command and control server at some point in the future,” Thakur said.

Portions of Flame are written in the open-source Lua programming language, which Thakur notes is interesting in that Lua is very portable and could potentially run on a mobile phone. Flamer also uses SSH for secure communications with its command-and-control infrastructure.

Thakur noted that Symantec’s research team is trying to trace Flame back to its origin, but cautioned that it will be a long analytical process. Symantec researchers will dig through all of their databases in an attempt to find any piece of evidence that may be linked to any of the threats exposed by Flame.

“It’s a very difficult job and it’s not an exact science,” Thakur said.

Evaluating the Enterprise Risk

While Flame is an immense piece of malware, the risk to most enterprise organizations appears to be moderate. McAfee’s Marcus stressed that chances of a U.S.-based enterprise IT shop encountering Flame aren’t all that high.

“In an attack that is as specific to a geography as Flamer looks to be, there is very little chance of this particular variant hitting a wide number of people,” Marcus said.

There is however a more sinister side effect that may come as a result of the discovery of Flame. Marcus stressed that one thing malware writers do exceptionally well is that they learn from other malware writers.

“We can expect in the future for someone to learn from Flamer and use it in a future malware variant,” Marcus said.

On a positive note, security researchers for the “good guys” can also learn from Flamer to help protect enterprises and consumers from similar and future threats.

“You take the things the enemy gives you and you learn what you can,” Marcus said. “That’s not to say that malware is ever a good thing, but we try and learn from it.”

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.