Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Flame FAQ: 11 Facts About Complex Malware

Size of Flame dwarfs existing spyware, keyloggers, and other malware. Drill down for a closer look at the crucial technology and military issues.

The Flame--a.k.a. Flamer, Skywiper (sKyWIper)--malware discovered earlier this month is earning accolades from security researchers for being the largest, most complex piece of attack code ever spotted in the wild.

But what's also remarkable about the Flame malware is that although it's been infecting PCs since at least 2010, and possibly since 2007, it appears to have been used in only a scant number of highly targeted attacks.

What are the implications of that revelation, and what do we currently know about the malware? Here are 11 related facts:

1) Flame's size highlights a powerful malware arsenal. For starters, Flame wins awards based on its sheer size. "The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB," reads a blog post from Websense. "One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine." (LUA is the scripting language that was used to build many parts of the malware.)

[ How many unseen attacks are nation-sponsored? Read more at Flame's Big Question: What Else Is Lurking? ]

2) Flame is focused on the Middle East. According to Symantec, the most Flame infections were seen in the Palestinian West Bank, Hungary, Iran, and Lebanon. Interestingly, however, infections have also been reported in Austria, Russia, Hong Kong, and the United Arab Emirates. Security experts said that the infection pattern along with the malware's stealth suggest that it was developed by one or more Western intelligence agencies.

3) Don't expect immediate answers to questions about Flame. Unraveling Flame's inner workings and purpose will take weeks, or more likely, months. "Flamer is the largest piece of malware that we've ever analyzed," said Vikram Thakur, principal research manager at Symantec Security Response. "It could take weeks, if not months, to actually go through the whole thing." This is not least because the malware uses an unprecedented amount of encryption to help disguise its activities.

4) Flame studies installed security products, smartphones, and remote access. Flame's 20-odd modules offer some powerful attack capabilities. "One of the Flame's components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victim's computer," read an analysis of a single Flame module published Wednesday by BAE Systems.

"The malicious DLL queries a number of the registry entries," it continued. For example, the malware looks to see if various types of security software--Tiny Personal Firewall, Kaspersky Antivirus, as well as various McAfee, Symantec, and ZoneAlarm products--are installed. It also looks for clues about the type of mobile phone the PC owner uses. Finally, it actively looks for any stored usernames and passwords related to a number of well-known FTP, SSH, and Virtual Network Computing clients, as well as remote-control software. "Revealing credentials for the aforementioned software exposes extra risks such as ability to connect to the compromised system remotely (via VNC) or compromise/infect/deface web servers managed via one of the enlisted FTP client solutions," said BAE.

5) Flame records extensive system information. According to BAE, the single Flame component it studied can audit almost any service, file, or application installed on the PC. It can also retrieve website cookies, record all services running on the PC, gather a list of all files and directories associated with program files, retrieve the installed version numbers for Outlook Express, Outlook, Microsoft Word, and Internet Explorer, see which USB devices are installed, map the network neighborhood, and retrieve from the Internet cache a list of all URLs visited. In addition, the malware "retrieves SMTP/POP3 server information and also account information/credentials for all Microsoft Outlook profiles," said BAE. All that information would give would-be attackers further techniques for attacking the PC or the information it stores.

6) Flame targets the same bugs as Stuxnet and Duqu. Is Flame related to Duqu or Stuxnet? "So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061," said Websense. "Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks." The first bug involves a vulnerability in the Windows Shell, which enables an attacker to execute arbitrary code. The second bug, in the Print Spooler Service, would likewise allow remote code execution in Windows XP and privilege elevation in other Windows operating systems.

Microsoft patched both vulnerabilities in 2010. But while Stuxnet and Duqu also used the vulnerabilities, multiple security experts have cautioned that malware writers tend to emulate each other. Hence that's no proof that there's any direct link between the different malware.

7) Infections remain rare. The Flame malware has apparently been used only in highly targeted attacks. In fact, Symantec researchers think that only 1,000--or perhaps a few thousand--PCs were ever infected by the malware.

8) Flame's scale is unique, but its capabilities are not. Some security experts don't see what all the Flame fuss is about. "Espionage attacks aimed at specific geographies or industries are nothing new. Look at LuckyCat, IXESHE, or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom-written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of a modular information-stealing Trojan," said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "In fact, a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT," he said. "Complexity of code is also nothing new."

9) Flame C&C servers appear to be offline. The media attention paid to Flame may have already had repercussions in the form of the command and control (C&C) servers used to issue commands to the malware on infected PCs. Notably, an analysis of one of Flame's DLL files--a module for the malware--conducted using the Cuckoo Sandbox malware analysis system found that all the C&Cs seem offline or sinkholed now. Sinkholing refers to a technique used by security researchers to redirect botnet communications, thus allowing them to study infections.

10) Flame suggests espionage is ascendant. While the full extent of Flame's capabilities is still being unraveled, pronouncements are already being issued over its impact on the information security landscape. According to James Todd, the European technical lead for FireEye, "Flame has done for espionage what Stuxnet did for physical infrastructure."

Flame being in circulation for two years before being detected highlights how businesses must search carefully for any ongoing breaches they haven't detected. "The next big trend in IT security was always going to be cyber-espionage, given the potentially huge rewards for the taking," said Todd, via email. "This is particularly true if hackers can infiltrate information relating to policy, patents, intellectual property, and R&D plans. As such, any organization--or nation for that matter--with significant investments in R&D or IP must up the ante on preemptive security before it is too late."

"More and more, we see enterprises assuming they've been compromised," said Rob Rachwald, director of security strategy at Imperva, in a blog post.

11) Malware could rewrite military doctrine. Given the Flame capabilities on display, especially in the wake of Stuxnet, expect to see changes in military circles. "Cyberattacks will force adversaries to minimize their electronic productivity," said Rachwald. "It took nearly a decade to find Osama Bin Laden since he went completely off grid. ... Does this mean that scientists developing weapons will resort to crayons and paper only? Probably not, but today life very likely got a lot harder for scientists working on military projects worldwide."

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).