Flame: Cyberwarfare’s Latest, Greatest Weapon

The Flame virus, focused mainly on Iran, has all the hallmarks of a state-sponsored online attack—including its ability to remain hidden for two years

3 min read
Flame: Cyberwarfare’s Latest, Greatest Weapon

Last week, Iran’s Computer Emergency Response team sounded the alarm about a sophisticated piece of malware that attempted to route sensitive information from a small group of infected computers to at least 10 command and control servers. The software is designed to spy on the users of infected computers, logging their keystrokes, recording their conversations, and stealing documents and other information. Security research firms such as Symantec, Kaspersky, and McAfee, which have been analyzing the code, are calling the malware the most complex ever detected.

The malicious code, dubbed Worm.Win32.Flame or just Flame for short, is so unique that, despite evidence of its existence having been available for at least two years, experts just didn't recognize it for what it was until now. How is that possible, you ask? (So did ZDNet Australia.)

Whoever developed Flame endowed it with a set of characteristics that allowed it to hide in plain sight. The malicious code evaded detection for as long as it did because it differs from the standard malware profile in so many ways.

According to a ZDNet Australia article, one major difference is its size. The initial Flame module was 6 megabytes; once uploaded, it used a command and control server to download additional modules that brought its total size to 20 megabytes, says the security firms. Most other viruses attempt to hide among the other programs and bits of software on a computer by staying small. Those malicious codes typically top out at a few hundred kilobytes.

Another thing that sets Flame apart is the fact that it doesn’t indiscriminately attempt to infect every possible computer. Vitaly Kamluk, chief malware expert for Kaspersky Labs, a Russian antivirus firm, told the Wall Street Journal that the malware’s precision suggests that it was designed to be a cyberwarfare weapon. Kapersky says that only 382 infections have been reported; of those, 189 were in Iran, and the targets were individuals rather than organizations.

Budapest University’s Cryptography and System Security (CrySyS) Lab says that the results of its investigation “support the hypotheses that [Flame, which it refers to as sKyWIper] was developed by a government agency of a nation state with significant budget and effort.” How so? The WSJ article quotes from a report explaining that:

"Usually with a standard attack malware writers will try to limit the amount of data coming off the machine because otherwise it is very hard to find what you are looking for," she said. "This is like old-school espionage. Take everything you can and sift through it. This shows there is an agency at the back end that has the bandwidth to deal with this."

Despite these large volumes of traffic, Flame still evaded detection. According to Pure Hacking CTO Ty Miller, Flame uses SSL encryption, the same type that ensures the security of online banking transactions. "The malicious network traffic is transferred over SSL and SSH tunnels, which are generally encrypted from end to end. This means that network-based intrusion prevention systems would not be able to detect rogue activities," Miller told ZDNet Australia. And even if something about the traffic aroused suspicion, "Without knowing what algorithm the traffic is encrypted with and what keys were used to encrypt it, no security solution would be able to classify such traffic as malicious, without increasing the risk of false positive detections that may potentially block legitimate traffic," Sergei Shevchenko, manager for threat research and analysis at Stratsec, a leading Australian IT security firm, told ZDNet Australia.

Another precaution taken by the malware’s creators was cloaking its activity under the cover of several dozen domain names and nearly 20 distinct IP addresses.

Just as likely to have put security and network administrators wrongly at ease is the programming language in which Flame was written. Kaspersky Labs’ Kamluk told the Wall Street Journal that parts were written in Lua, which is the leading scripting language used by videogame developers. “I have never seen it used in any piece of malware before,” Kamluk reports. But according to the programming language’s website, “A fundamental concept in the design of Lua is to provide meta-mechanisms for implementing features, instead of providing a host of features directly in the language.” In other words, in the hands of a malicious code writer, it can become a fertile seedbed for hiding things in plain sight, or for gradually adding capabilities that if seen together might arouse suspicion.

The Conversation (0)

The Cellular Industry’s Clash Over the Movement to Remake Networks

The wireless industry is divided on Open RAN’s goal to make network components interoperable

13 min read
Photo: George Frey/AFP/Getty Images
DarkBlue2

We've all been told that 5G wireless is going to deliver amazing capabilities and services. But it won't come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible?

Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years.

Keep Reading ↓ Show less