Security researchers recently discovered one of the most complex instances of computer malware on record. Flame, which also goes by the names SkyWiper and Viper, has infected hundreds of computers across the Middle East and Europe. What does it do? Where did it come from? Who unleashed it?
What makes Flame so unusual is its size. It's much larger than some of the largest malware instances that researchers have found. For instance, the infamous Stuxnet virus that was targeted at Iran’s uranium enrichment facilities several years ago was 500 kilobytes, according to Wired.
“Flame is a sizable beast," said Graham Cluley of Sophos Security, a publisher of digital security software. "With all its components in place, it's approximately 20MB. And this is one of the reasons why people have bandied phrases around like 'biggest' and 'most sophisticated.' Reverse engineering 20MB of code is a sizable piece of work."
Researchers have only scratched the surface of what is hidden in all that code. Stuxnet (and its sister DuQu) took researchers months to figure out exactly what it did and where it might have come from. Flame will take a lot longer.
Flame, at its core, is spyware. It has the ability to log key strokes from an infected user’s computer, use the computer’s sensors such as the microphone and Web cam to record what is being said around it, and take screenshots. It can also sniff a network to steal passwords, be spread through USB drives and local networks, and transfer data to command-and-control servers. It can infect Windows XP, Vista and Windows 7 computers.
This is not your ordinary spyware, though. While it does have some simple and basic elements of spyware (which can key log and use the microphone as well), its sheer girth betrays a more sophisticated approach.
Normal spyware is not hard to detect. It is usually some type of derivation of existing malware that has been repurposed by hackers and distributed through normal channels such as spam or infected websites. Antivirus companies such as Symantec (Norton), Kaspersky, Sophos, Bitdefender and others recognize the spyware shortly after it is discovered and issue a detection kit for it. Microsoft then comes out with a patch and the cat-and-mouse game between the malware writers and security companies goes on. To a certain extent, this is what has happened with Flame. Detection and removal kits have already been released by security companies including Sophos and Symantec, as well as the Iranian government.
But the size and uniqueness of Flame may prove to be more than the antivirus companies realize. Right now, the detector kits are looking for specific instances within the Flame code to help detect the virus. For instance, code samples with “flame” or “wiper” are detected and blocked. The thing is, Flame is not exactly new. It has been in the wild for more than five years, perhaps in varying forms that have been added to over time. Much of Flame may have been compiled in 2011, but bits of it may be older. Flame’s ability to avoid detection over time speaks to its unique properties. Those properties could also speak to its source.
Flame also uses a unique programming language to the malware world: Lua. Lua is used primarily by game developers to create cross-platform applications for iOS and Android. It is similar to C++ but easier to update and communicate with.
“Lua is normally used for convenience," said Liam O Murchu, operations manager of Symantec Security Response. "As a scripting language it is much more high-level than C++ and it is easier to write in. Also, it is very easy to update the Lua part of the code and change the behavior of the threat in a very fluid and fast way. Often the Lua portion can be updated without recompiling and redeploying the software in question.”
Flame is well organized in how it communicates and translates data. In an infected machine, it can perform a variety of tasks including wiping out its own existence as well as any other malware on the machine. This is a tactic used by other sophisticated viruses – becoming their own antivirus programs – presumably because other, less sophisticated viruses could lead to the discovery of Flame itself. When Flame retrieves data, be it key logs or screen shots, it uses high- and low-level encryption and HTTPS to send data back to its command-and-control servers. That data is then organized into its database through MySQLite, a smaller version of MySQL database software.
In a nutshell: Flame can control almost every aspect of the computer, disappear without a trace, encrypt its own communications and organize the data it collects. That is one smart virus.
It is so large and smart that researchers have concluded that this was not created by a random group of hackers looking to make some money. (Now that its code is out in the wild, though, that may be part of its future.)
“The results of our technical analysis supports the hypotheses that sKyWIper [Flame] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities,” stated a technical report from the Laboratory of Cryptography and System Security (CrySyS) at Budapest University of Technology and Economics.
Should average computer users worry about Flame? The short answer is no. Kaspersky Labs, which initially reported on Flame, only found several hundred instances of Flame among its client base, most of them in Iran and Middle Eastern countries. Whoever created Flame has been aiming it at specific targets, perhaps knowing that a virus like this left unchecked in the wild could do serious damage.
“I think run-of-the-mill malware is a much more significant threat to the vast majority of computer users than Flame,” Cluley said. “We have had zero reports of Flame from any of our customers' computers worldwide. Even Kaspersky, who appeared in the first media reports of Flame, only reported a couple of hundred infected PCs. Flame pretty much became the malware you didn't have to worry about because of the media hoopla and antivirus products being updated in the last 36 hours or so. You imagine that whoever was behind Flame is now pretty grumpy about their malware attracting so much attention.”