Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Flame FAQ: 11 Facts About Complex Malware

Size of Flame dwarfs existing spyware, keyloggers, and other malware. Drill down for a closer look at the crucial technology and military issues.

The Flame--a.k.a. Flamer, Skywiper (sKyWIper)--malware discovered earlier this month is earning accolades from security researchers for being the largest, most complex piece of attack code ever spotted in the wild.

But what's also remarkable about the Flame malware is that although it's been infecting PCs since at least 2010, and possibly since 2007, it appears to have been used in only a scant number of highly targeted attacks.

What are the implications of that revelation, and what do we currently know about the malware? Here are 11 related facts:

1) Flame's size highlights a powerful malware arsenal. For starters, Flame wins awards based on its sheer size. "The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB," reads a blog post from Websense. "One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine." (LUA is the scripting language that was used to build many parts of the malware.)

[ How many unseen attacks are nation-sponsored? Read more at Flame's Big Question: What Else Is Lurking? ]

2) Flame is focused on the Middle East. According to Symantec, the most Flame infections were seen in the Palestinian West Bank, Hungary, Iran, and Lebanon. Interestingly, however, infections have also been reported in Austria, Russia, Hong Kong, and the United Arab Emirates. Security experts said that the infection pattern along with the malware's stealth suggest that it was developed by one or more Western intelligence agencies.

3) Don't expect immediate answers to questions about Flame. Unraveling Flame's inner workings and purpose will take weeks, or more likely, months. "Flamer is the largest piece of malware that we've ever analyzed," said Vikram Thakur, principal research manager at Symantec Security Response. "It could take weeks, if not months, to actually go through the whole thing." This is not least because the malware uses an unprecedented amount of encryption to help disguise its activities.

4) Flame studies installed security products, smartphones, and remote access. Flame's 20-odd modules offer some powerful attack capabilities. "One of the Flame's components, soapr32.ocx, is a DLL that is designed to collect information about the system and about the software installed on the victim's computer," read an analysis of a single Flame module published Wednesday by BAE Systems.

"The malicious DLL queries a number of the registry entries," it continued. For example, the malware looks to see if various types of security software--Tiny Personal Firewall, Kaspersky Antivirus, as well as various McAfee, Symantec, and ZoneAlarm products--are installed. It also looks for clues about the type of mobile phone the PC owner uses. Finally, it actively looks for any stored usernames and passwords related to a number of well-known FTP, SSH, and Virtual Network Computing clients, as well as remote-control software. "Revealing credentials for the aforementioned software exposes extra risks such as ability to connect to the compromised system remotely (via VNC) or compromise/infect/deface web servers managed via one of the enlisted FTP client solutions," said BAE.

5) Flame records extensive system information. According to BAE, the single Flame component it studied can audit almost any service, file, or application installed on the PC. It can also retrieve website cookies, record all services running on the PC, gather a list of all files and directories associated with program files, retrieve the installed version numbers for Outlook Express, Outlook, Microsoft Word, and Internet Explorer, see which USB devices are installed, map the network neighborhood, and retrieve from the Internet cache a list of all URLs visited. In addition, the malware "retrieves SMTP/POP3 server information and also account information/credentials for all Microsoft Outlook profiles," said BAE. All that information would give would-be attackers further techniques for attacking the PC or the information it stores.

6) Flame targets the same bugs as Stuxnet and Duqu. Is Flame related to Duqu or Stuxnet? "So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061," said Websense. "Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks." The first bug involves a vulnerability in the Windows Shell, which enables an attacker to execute arbitrary code. The second bug, in the Print Spooler Service, would likewise allow remote code execution in Windows XP and privilege elevation in other Windows operating systems.

Microsoft patched both vulnerabilities in 2010. But while Stuxnet and Duqu also used the vulnerabilities, multiple security experts have cautioned that malware writers tend to emulate each other. Hence that's no proof that there's any direct link between the different malware.

7) Infections remain rare. The Flame malware has apparently been used only in highly targeted attacks. In fact, Symantec researchers think that only 1,000--or perhaps a few thousand--PCs were ever infected by the malware.

8) Flame's scale is unique, but its capabilities are not. Some security experts don't see what all the Flame fuss is about. "Espionage attacks aimed at specific geographies or industries are nothing new. Look at LuckyCat, IXESHE, or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom-written modules to customer specification for tools such as ZeuS or SpyEye. Carberp is another great example of a modular information-stealing Trojan," said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "In fact, a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT," he said. "Complexity of code is also nothing new."

9) Flame C&C servers appear to be offline. The media attention paid to Flame may have already had repercussions in the form of the command and control (C&C) servers used to issue commands to the malware on infected PCs. Notably, an analysis of one of Flame's DLL files--a module for the malware--conducted using the Cuckoo Sandbox malware analysis system found that all the C&Cs seem offline or sinkholed now. Sinkholing refers to a technique used by security researchers to redirect botnet communications, thus allowing them to study infections.

10) Flame suggests espionage is ascendant. While the full extent of Flame's capabilities is still being unraveled, pronouncements are already being issued over its impact on the information security landscape. According to James Todd, the European technical lead for FireEye, "Flame has done for espionage what Stuxnet did for physical infrastructure."

Flame being in circulation for two years before being detected highlights how businesses must search carefully for any ongoing breaches they haven't detected. "The next big trend in IT security was always going to be cyber-espionage, given the potentially huge rewards for the taking," said Todd, via email. "This is particularly true if hackers can infiltrate information relating to policy, patents, intellectual property, and R&D plans. As such, any organization--or nation for that matter--with significant investments in R&D or IP must up the ante on preemptive security before it is too late."

"More and more, we see enterprises assuming they've been compromised," said Rob Rachwald, director of security strategy at Imperva, in a blog post.

11) Malware could rewrite military doctrine. Given the Flame capabilities on display, especially in the wake of Stuxnet, expect to see changes in military circles. "Cyberattacks will force adversaries to minimize their electronic productivity," said Rachwald. "It took nearly a decade to find Osama Bin Laden since he went completely off grid. ... Does this mean that scientists developing weapons will resort to crayons and paper only? Probably not, but today life very likely got a lot harder for scientists working on military projects worldwide."

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...