English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The Flame: Questions and Answers

Aleks
Kaspersky Lab Expert
Posted May 28, 13:00  GMT
Tags: Targeted Attacks, Flame, Cyber weapon, Cyber espionage, Wiper
1.8
 

Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.

Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.

For the full low-down on this advanced threat, read on…

General Questions

What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

How sophisticated is Flame?

First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.

Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in Lua - with effective attack subroutines and libraries compiled from C++.

The effective Lua code part is rather small compared to the overall code. Our estimation of development ‘cost’ in Lua is over 3000 lines of code, which for an average developer should take about a month to create and debug.

Also, there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.

Running and debugging the malware is also not trivial as it’s not a conventional executable application, but several DLL files that are loaded on system boot.

Overall, we can say Flame is one of the most complex threats ever discovered.

How is this different to or more sophisticated than any other backdoor Trojan? Does it do specific things that are new?

First of all, usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.

The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness - the ability to steal data in so many different ways.

Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.

What are the notable info-stealing features of Flame?

Although we are still analyzing the different modules, Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library.

Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule. We are still analyzing this; more information will be available on our website soon.

The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server - just like the audio recordings.

We are still analyzing this component and will post more information when it becomes available.

When was Flame created?

The creators of Flame specially changed the dates of creation of the files in order that any investigators couldn’t establish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it’s clear that these are false dates.

We consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active development to date. Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012.

According to our own data, we see use of Flame in August 2010. What’s more, based on collateral data, we can be sure that Flame was out in the wild as early as in February to March 2010. It’s possible that before then there existed earlier version, but we don’t have data to confirm this; however, the likelihood is extremely high.

Why is it called Flame? What is the origin of its name?

The Flame malware is a large attack toolkit made up of multiple modules. One of the main modules was named Flame - it’s the module responsible for attacking and infecting additional machines.

Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?

Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.

Who is responsible?

There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.

Why are they doing it?

To systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on. Here’s a map of the top 7 affected countries:

Is Flame targeted at specific organizations, with the goal of collecting specific information that could be used for future attacks? What type of data and information are the attackers looking for?

From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence - e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.

Of course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA devices, ICS, critical infrastructure and so on.

What industries or organizations is Flame targeting? Are they industrial control facilities/PLC/SCADA? Who are the targets and how many?

There doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions. Of course, collecting information on the victims is difficult because of strict personal data collecting policies designed to protect the identity of our users.

Based on your analysis, is this just one variation of Flame and there are others?

Based on the intelligence received from the Kaspersky Security Network, we are seeing multiple versions of the malware being in the wild - with different sizes and content. Of course, assuming the malware has been in development for a couple of years, it is expected that many different versions will be seen in the wild.

Additionally, Flame consists of many different plug-ins – up to 20 – which have different specific roles. A specific infection with Flame might have a set of seven plugins, while another infection might have 15. It all depends on the kind of information that is sought from the victim, and how long the system was infected with Flame.

Is the main C&C server still active? Is there more than one primary C&C server? What happens when an infected machine contacts the C&C server?

Several C&C servers exist, scattered around the world. We have counted about a dozen different C&C domains, run on several different servers. There could also be other related domains, which could possibly bring the total to around 80 different domains being used by the malware to contact the C&C. Because of this, it is really difficult to track usage of deployment of C&C servers.

Was this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in common?

In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu.

For instance, when Duqu was discovered, it was evident to any competent researcher that it was created by the same people who created Stuxnet on the “Tilded” platform.

Flame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are however some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project - such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet’s authors.

On the other hand, we can’t exclude that the current variants of Flame were developed after the discovery of Stuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.

In summary, Flame and Stuxnet/Duqu were probably developed by two separate groups. We would position Flame as a project running parallel to Stuxnet and Duqu.

You say this was active since March 2010. That is close to the time when Stuxnet was discovered. Was this being used in tandem with Stuxnet? It is interesting they both exploit the printer-spooler vulnerability.

One of the best pieces of advice in any kind of operation is not to put all your eggs in one basket. Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects - but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered.

Hence, we believe Flame to be a parallel project, created as a fallback in case some other project is discovered.

In your analysis of Duqu you mentioned “cousins” of Duqu, or other forms of malware that could exist. Is this one of them?

Definitely not. The “cousins” of Duqu were based on the Tilded platform, also used for Stuxnet. Flame does not use the Tilded platform.

This sounds like an info-stealing tool, similar to Duqu. Do you see this as part of an intelligence-gathering operation to make a bigger cyber-sabotage weapon, similar to Stuxnet?

The intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu - all of them, super-high profile.

Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide.

The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.

According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections.

What is Wiper and does it have any relation to Flame? How is it destructive and was it located in the same countries?

The Wiper malware, which was reported on by several media outlets, remains unknown. While Flame was discovered during the investigation of a number of Wiper attacks, there is no information currently that ties Flame to the Wiper attacks. Of course, given the complexity of Flame, a data wiping plugin could easily be deployed at any time; however, we haven’t seen any evidence of this so far.

Additionally, systems which have been affected by the Wiper malware are completely unrecoverable - the extent of damage is so high that absolutely nothing remains that can be used to trace the attack.

There is information about Wiper incidents only in Iran. Flame was found by us in different countries of the region, not only Iran.

Functionality/Feature Questions about the Flame Malware

What are the ways it infects computers? USB Sticks? Was it exploiting vulnerabilities other than the print-spooler to bypass detection? Any 0-Days?

Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. We haven’t seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it’s using two methods:

  1. Autorun Infector: the “Autorun.inf” method from early Stuxnet, using the “shell32.dll” “trick”. What’s key here is that the specific method was used only in Stuxnet and was not found in any other malware since.
  2. Euphoria: spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened. Our samples contained the names of the files but did not contain the LNK itself.
In addition to these, Flame has the ability to replicate through local networks. It does so using the following:

  1. The printer vulnerability MS10-061 exploited by Stuxnet - using a special MOF file, executed on the attacked system using WMI.
  2. Remote jobs tasks.
  3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.

Can it self-replicate like Stuxnet, or is it done in a more controlled form of spreading, similar to Duqu?

The replication part appears to be operator commanded, like Duqu, and also controlled with the bot configuration file. Most infection routines have counters of executed attacks and are limited to a specific number of allowed attacks.

Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.

Flame’s modules together account for over 20MB. Much of these are libraries designed to handle SSL traffic, SSH connections, sniffing, attack, interception of communications and so on. Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame.

Does Flame have a built-in Time-of-Death like Duqu or Stuxnet ?

There are many different timers built-in into Flame. They monitor the success of connections to the C&C, the frequency of certain data stealing operations, the number of successful attacks and so on. Although there is no suicide timer in the malware, the controllers have the ability to send a specific malware removal module (named “browse32”), which completely uninstalls the malware from a system, removing every single trace of its presence.

What about JPEGs or screen-shots? Is it stealing those too?

The malware has the ability to regularly take screenshots. What’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server, just like the audio recordings.

We are still analyzing this component and will post more information when it becomes available.

We will share a full list of the files and traces for technical people in a series of blog posts on Securelist during the next weeks.

What should I do if I find an infection and am willing to contribute to your research by providing malware samples?

We would greatly appreciate it if you could contact us by e-mail at the previously created mailbox for Stuxnet/Duqu research: stopduqu@kaspersky.com.

Update 1 (28-May-2012):

According to our analysis, the Flame malware is the same as “SkyWiper”, described by the CrySyS Lab and by Iran Maher CERT group where it is called “Flamer”.


53 comments

Oldest first
Table view
 

Abhay

2012 May 28, 20:46
1
 

Time of Cyber Warfare

With all these three programs (Stuxnet, Ququ, Flame 0 , do you beleive the world is nearing to a cyber warefare mechanism?
As most probably, there is some kind of state element behind these malwares.

Reply    

Josh Haberman

2012 May 28, 23:13
2
 

Lua, not LUA

FYI, the authors of Lua ask that you write "Lua", not "LUA":

"Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!"

--http://www.lua.org/about.html

Reply    

mathipet

2012 May 28, 23:15
0
 

I don't know how this works, tell me if I'm wrong, but do AV companies share information of how some virus works after analyzing it or every AV company must analyze it "by its own" because of a competition? Are you thinking about some collaboration with others in this case so it would not take 10 years to analyze Flame?

Reply    

Webmaster

2012 May 29, 06:08
0
 

GATOR

GATOR is a common cultural reference in Florida USA..
..just saying! :-)

Reply    

spritrig

2012 May 29, 06:31
-3
 

FLAME and Lua are from Brazil

FLAME and Lua are both from Brazil. Was a downloadable software, which uses Lua, just mistaken for a nation sponsored virus? Paranoia and an irresponsible press are a powerful combination. :)
http://martin.lncc.br/main-software-flame
http://wiki.martin.lncc.br/instalacao-flame-en

Reply    

DaLynxx

2012 May 29, 12:39
0
 

Nice find regarding the FLAME software!

But, it can still be a combination can't it? Someone found a nice information gathering framework in FLAME and tweaked it into a virus, adding some nice exploit propagation.

Doubt that the original FLAME is using exploits to spread.
Regardless... this will make the analysis so much easier I would guess.

EDIT 1: Added row about analysis

Reply    

Hans Adams

2012 May 29, 14:40
0
 

In doubt.

1) 20MByte: Much too much to deploy.
2) More or less a toolkit / toolchain to setup scenarios.
3) You will find PARTS of it at the victims.
4) Who is victim, who attacks?
5) Is Israel threatened by the same attacks like Iran? Indeed?
6) What makes usage of LUA special? Nothing... Has the VM been reimplemented or do they use the native one?

In summary: Just a toolkit / toolchain to describe scenarios and derive attackers' code from it. Nothing to worry about. Development of attackers' code has been automated and formalized like development of any other software too.

BTW: Whoever reasonable would claim, that others including foreign secret services would NOT posses similar tools, perhaps written in Scala or scheme instead of LUA.

HA

Reply    

Hans Adams

2012 May 29, 15:17
1
 

To say the least ---- I am upset ---- growing angry.....

Cite:
"...
including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available through the link to Flame’s command-and-control servers..."

The same the (in)famous German "BKA-Virus" was intended to permit... NOTHING NEW AT ALL....

"...
The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness - the ability to steal data in so many different ways...."

NO! Already used by law enforcement.

"...
The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C C server - just like the audio recordings...."

Already used by law enforcement.....

"...Why are they doing it? To systematically collect information on..."

Law enforcement, toll? One reasonable application of the infamous BKA-Virus?

".... The intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu - all of them, super-high profile...."

50 targets estimated by Kapersky... Disregarding the devil fact, that software providing the same functionality like Duqu was embedded in software deliberately delivered by at least two manufacturer of control systems. Control system together with its programming system including CAM built a digital binary weapon, VERY similar to Duqu (and per principle StuxNet).

The former code allowed an attacker to gain access to the machine programs, kill the feed back controllers by saturating some HTTP-Servers of the control systems and so forth....

I am pretty sure, there a many similar weapons out there, much more than Kapersky would publish about....

HA

Reply    

JEB

2012 May 29, 22:01
1
 

Re: collaboration

While companies and corporations may elect to compress departments to reduce redundancies, in the world of threat detection, having more eyes on the target from all their different perspectives prevents one problem endemic with compressed environments; tunnel thought. It's preferable to let everybody run off chasing down their own perspectives and arrive at the same conclusion point. It may be wasteful, (but I like guys in the industry staying employed), and it may be redundant (think of it as cross-fact/error checking on a global scale) but it does prevent being blind-sided. A problem a single groups are vulnerable to and have experienced.

Reply    

spritrig

2012 May 29, 22:22
0
 

Re:

It was the top hit for "FLAME Lua" on Google. On second look, Brazilian Lua implemented FLAME software installation instructions are for Linux. However, the Flame alleged 'cyber-weapon' is for Windows.

Reply    

willrobinson

2012 May 29, 23:06
0
 

food for thought

It strikes that one of the challenges that Flame's authors must have been concerned about was how to get the data out of the building when the data was on a walled off network. My guess is that perhaps this is what they used the blue-tooth exploit for. If they had also infected a smartphone as well then, they could have a hands free upload of the data from the infected PC to the infected smartphone. The smartphone could then relay the info once it was out in the open.

Another thing I would be looking at if I had the resources that these guys appear to have... It occurs to me that the C C servers are a weak link in the plan. Once code is de-compiled and the list of servers brought to light, the defenders can effectively shut down the entire network and back trace the traffic to the author's doorstep. If I were in their shoes I would plan for that eventuality by hacking into one or more of the boundary routers that cover the target country or region. (It has been done before so I assume it is doable.) All they would have to do is insert a line into the route table and their ill-gotten gains could still find their way home even if the published C C server had fallen into enemy hands.

Reply    

baditup

2012 May 29, 23:32
0
 

Since 2010?

Firejack Technologies was founded in 2010 with the mission of making enterprise-class Internet solutions understandable to a wider audience.

One of whom's products is OpenFlame... platform that sounds similar to this attack...

http://www.firejack.net/

I wonder.....

Reply    

MARTIN Lab

2012 May 29, 23:33
0
 

Clarification about FLAME from Brazil

The FLAME platform described in http://martin.lncc.br/main-software-flame has NOTHING TO DO with the recently uncovered FLAME malware. The FLAME platform is for the rapid prototyping of active measurement tools, as described in the platform website.

We'd like to make it very much clear that:

- We're aware of at least two other packages with the same name, it's simple and easy to make an acronym from such an appealling word, therefore it's quite likely the are other packages, including the cited malware, share this same name.

- Our FLAME environment does use Lua, but for the purpose of sending ICMP, TCP and UDP measurement probes. Crucially, our environment does not allow specially-crafted payload to be conveyed in such probes. Also, by no means it has any kind of code that allows recording audio, taking screenshots and other announced characteristics of the cited malware.

- The top hit for "FLAME Lua" on Google points to the website of our FLAME platform. The platform website has been online since November 2009.

- the source code of our FLAME platform hasn't been publicly available. A specific request for it must be made by email, explaining the requester's intended purpose. So far, we havent received such requests (the first one was a couple of hours ago, motivated by the news about the cited malware). Therefore it's unlikely that the cited malware has been even based on our package.

- Our FLAME platform only compiles on Linux. The cited malware is for Windows-based systems.

- The Lua code and log snippets presented in this post have never been part of our FLAME environment.

As a final remark, we emphasize that all this matter boils down to an unfortunate coincidence of a malware having the same name as the acronym we’ve been using for a couple of years.

Hoping to have clarified the matter, our best wishes.

Reply    

MARTIN Lab

2012 May 29, 23:34
2
 

Re: CLARIFICATION about FLAME from Brazil

The FLAME platform described in http://martin.lncc.br/main-software-flame has NOTHING TO DO with the recently uncovered FLAME malware. The FLAME platform is for the rapid prototyping of active measurement tools, as described in the platform website.

We'd like to make it very much clear that:

- We're aware of at least two other packages with the same name, it's simple and easy to make an acronym from such an appealling word, therefore it's quite likely the are other packages, including the cited malware, share this same name.

- Our FLAME environment does use Lua, but for the purpose of sending ICMP, TCP and UDP measurement probes. Crucially, our environment does not allow specially-crafted payload to be conveyed in such probes. Also, by no means it has any kind of code that allows recording audio, taking screenshots and other announced characteristics of the cited malware.

- The top hit for "FLAME Lua" on Google points to the website of our FLAME platform. The platform website has been online since November 2009.

- the source code of our FLAME platform hasn't been publicly available. A specific request for it must be made by email, explaining the requester's intended purpose. So far, we havent received such requests (the first one was a couple of hours ago, motivated by the news about the cited malware). Therefore it's unlikely that the cited malware has been even based on our package.

- Our FLAME platform only compiles on Linux. The cited malware is for Windows-based systems.

- The Lua code and log snippets presented in this post have never been part of our FLAME environment.

As a final remark, we emphasize that all this matter boils down to an unfortunate coincidence of a malware having the same name as the acronym we’ve been using for a couple of years.

Hoping to have clarified the matter, our best wishes.

Reply    

mhsnrah

2012 May 30, 00:07
0
 

Propaganda!

In my opinion,
many of this news are propaganda from antivirus companies to sell their damn products!

As I know, important industrial and security centers in Iran are totally isolated from Internet.
The IT departments have to physically separate the LAN and WAN and even VLAN is not allowed!

All the removable media and USB drives are PHYSICALLY banned and file sharing is under heavy supervisory.

Hardest network security policies have been done.

So how can a virus come to a totally isolated computer and after harvesting information,
send huge data of sound, screen shot, key logs, and more to a server in cloud?!

I believe that AV companies are the bad boys who publish viruses on the net
targeting the home users and companies with unisolated InterAnet to sell their products.

Reply    

aria.banacha

2012 May 30, 00:12
0
 

Bangles of Ethernet Flame :p

Close your eyes, give me your hand, darling
Do you feel my heart beating
Do you understand
Do you feel the same
Am I only dreaming
Is this burning an eternal flame.

I believe it's meant to be, darling
I watch you when you are sleeping
You belong with me
Do you feel the same
Am I only dreaming
Or is this burning an eternal flame.

Say my name,
Sun shines through the rain
A whole life so lonely
And then you come and ease the pain
I don't want to lose this feeling.

Bangles - Eternal Flame : http://goo.gl/UG486

Reply    

billywatson

2012 May 30, 00:21
1
 

sample sharing?

I see Kaspersky would like us individual researchers to share our samples of malware with them, but where is their links to share their samples with us? Duqu's been long dead, and it's exploit long patched, and this sample is still under lock and key. The same with Stuxnet. Is Flame going to be the same way?

Reply    

jjx042

2012 May 30, 00:56
0
 

~ Breadcrumbs left ?

I'd think attackers would leave some type of breadcrumb to identify uninteresting machines even after they removed the malware, so they could easily identify/skip the discovery should it become re-infected later.

Reply    

Lode

2012 May 30, 03:00
0
 

Sandboxed and HIPS

I wonder if even this sophisticated super spyware could be installed without one's permission while one is running the browser and email client sandboxed, and using HIPS software.

Reply    

nEINEI

2012 May 30, 06:51
0
 

interesting lua

why ? lua + c complex project under implementation of the application.
a curious mixture on virus code.

Reply    

siebr00

2012 May 30, 12:03
1
 

Facbook in automation mode

Flame does sound to me like an automated Facebook. All private information is collected and stored for you (somewhere else).

Reply    

BHollywood

2012 May 30, 13:52
0
 

Lua code

The Lua code example given above is a bit strange, seems to be decompiled, i.e. the 4th line from below probably reads originally "config.get(flame.props...)", no need for local variables. If this is done everywhere then the actual Lua LOC is much smaller than 3000 lines.

But also note the dynamic loading, compilation and execution of code via 'loadstring'.

Reply    

f0real

2012 May 30, 16:32
0
 

Re: interesting lua

This is from http://www.lua.org/about.html

"Lua has been used in many industrial applications (e.g., Adobe's Photoshop Lightroom), with an emphasis on embedded systems (e.g., the Ginga middleware for digital TV in Brazil)...."

What if Flamer has something to do with SCADA / embedded systems after all?

Reply    

f0real

2012 May 30, 16:36
1
 

Re: sample sharing?

I agree with you on how they should release Flame, but Stuxnet is already publicly available. If you look hard enough on the internet, you can find a download for either the binaries or decompiled source code of Stuxnet.

Perhaps you might want to check this --> www.contagiodump.blogspot.com

Reply    

f0real

2012 May 30, 16:41
0
 

Re: Since 2010?

Give me a break.

Do you really think a highly targeted malware would use an open source platform?

And you think this just because it has a similar name?

Reply    

Korodber

2012 May 30, 17:21
0
 

Questions

Great article, very interesting topic.

You say that it might have taken one month for one developer to create this, how come you think this is a nation which is involved in this?

Also, if it only took one month for ONE developer to create this, why will it take 10 years to analyze it for you guys?

Thanks in regard

Reply    

mikk0j

2012 May 30, 17:59
1
 

My 20cents

First and foremost: While Flame is a gigantic set of software application(s) compared to Stux friends, it tells something about the author. While "other" were small, agile and highly dedicated (like Stux), this is not. By its nature, this is general purpose workbench to run multiple different kind of functionalities. As such, this does not require extensive understanding of SCADA, automation or PLC, control or such management environments.

Another thing to consider is that the combination of code (Lua+C) that may reveal something. Why organization capable to spend M$:s for would approach with a model like this. Yes, the size may make it hard to hard to find, but the functionality is such an obvious for information gathering.

3rd piece: What about interaction with hardware? Talking directly with chips, using part of the code there instead running a huge amount of data through obvious channels making trojan much easier to be detected by those de-evasion techniques?

To conclude: If you are able to use some 3-4 years and hide something very well, why would you sacrifice the whole thing during the operation?

Reply    

trebonian

2012 May 30, 18:57
1
 

Analyze the targets as well as the code

If indeed Flame is being used for espionage, and each target is configurable - then a lot of information can be gleaned by analyzing the list of targets, and the kind of data considered "interesting" on each one.

John Le Carre called this "taking back bearings"

Reply    

Donna J.Marn

2012 May 30, 19:55
0
 

War Conflict Name Change Scenario

"Social Media"..Is "Much-O-Stupid"Again.. http://wp.me/p2mFyC-20 via @wordpressdotcom

Reply    

mattmac

2012 May 31, 10:37
1
 

C C domains

Anyone got a list of the domains used for C C

Reply    

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog