Last week, Iran’s Computer Emergency Response team sounded the alarm about a sophisticated piece of malware that attempted to route sensitive information from a small group of infected computers to at least 10 command and control servers. The software is designed to spy on the users of infected computers, logging their keystrokes, recording their conversations, and stealing documents and other information. Security research firms such as Symantec, Kaspersky, and McAfee, which have been analyzing the code, are calling the malware the most complex ever detected.
The malicious code, dubbed Worm.Win32.Flame or just Flame for short, is so unique that, despite evidence of its existence having been available for at least two years, experts just didn't recognize it for what it was until now. How is that possible, you ask? (So did ZDNet Australia.)
Whoever developed Flame endowed it with a set of characteristics that allowed it to hide in plain sight. The malicious code evaded detection for as long as it did because it differs from the standard malware profile in so many ways.
According to a ZDNet Australia article, one major difference is its size. The initial Flame module was 6 megabytes; once uploaded, it used a command and control server to download additional modules that brought its total size to 20 megabytes, says the security firms. Most other viruses attempt to hide among the other programs and bits of software on a computer by staying small. Those malicious codes typically top out at a few hundred kilobytes.
Another thing that sets Flame apart is the fact that it doesn’t indiscriminately attempt to infect every possible computer. Vitaly Kamluk, chief malware expert for Kaspersky Labs, a Russian antivirus firm, told the Wall Street Journal that the malware’s precision suggests that it was designed to be a cyberwarfare weapon. Kapersky says that only 382 infections have been reported; of those, 189 were in Iran, and the targets were individuals rather than organizations.
Budapest University’s Cryptography and System Security (CrySyS) Lab says that the results of its investigation “support the hypotheses that [Flame, which it refers to as sKyWIper] was developed by a government agency of a nation state with significant budget and effort.” How so? The WSJ article quotes from a report explaining that:
"Usually with a standard attack malware writers will try to limit the amount of data coming off the machine because otherwise it is very hard to find what you are looking for," she said. "This is like old-school espionage. Take everything you can and sift through it. This shows there is an agency at the back end that has the bandwidth to deal with this."
Despite these large volumes of traffic, Flame still evaded detection. According to Pure Hacking CTO Ty Miller, Flame uses SSL encryption, the same type that ensures the security of online banking transactions. "The malicious network traffic is transferred over SSL and SSH tunnels, which are generally encrypted from end to end. This means that network-based intrusion prevention systems would not be able to detect rogue activities," Miller told ZDNet Australia. And even if something about the traffic aroused suspicion, "Without knowing what algorithm the traffic is encrypted with and what keys were used to encrypt it, no security solution would be able to classify such traffic as malicious, without increasing the risk of false positive detections that may potentially block legitimate traffic," Sergei Shevchenko, manager for threat research and analysis at Stratsec, a leading Australian IT security firm, told ZDNet Australia.
Another precaution taken by the malware’s creators was cloaking its activity under the cover of several dozen domain names and nearly 20 distinct IP addresses.
Just as likely to have put security and network administrators wrongly at ease is the programming language in which Flame was written. Kaspersky Labs’ Kamluk told the Wall Street Journal that parts were written in Lua, which is the leading scripting language used by videogame developers. “I have never seen it used in any piece of malware before,” Kamluk reports. But according to the programming language’s website, “A fundamental concept in the design of Lua is to provide meta-mechanisms for implementing features, instead of providing a host of features directly in the language.” In other words, in the hands of a malicious code writer, it can become a fertile seedbed for hiding things in plain sight, or for gradually adding capabilities that if seen together might arouse suspicion.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.