'Flame' Fans Notion Of More Weapons Yet To Be Found

Targeted attack looks a lot like conventional spyware, but with some major twists -- and questions about links to Stuxnet, Duqu
No one has a full head count of the victims, but researchers estimate that it's a relatively small number of machines, anywhere from less than 1,000 to multiple thousands. Vikram Thakur, principal research manager for Symantec Security Response, says it's likely less than 1,000 infections, and what makes Flame stand out -- besides it size -- is how it was written. "It was written in a scripting language, with a SQL server database in it, multiple layers of encryption, with modules encrypted in different manners," he says. "When we talk about complexity [of Flame, it's the] coding style," not the features of the tool, that can be found in commercial spyware, he says.

Symantec doesn't believe the same developers who wrote Stuxnet and Duqu are behind Flame. "This is not as refined as Stuxnet and Duqu, even though it's complicated. It's not using the same coding language, and it's using off-the-shelf techniques such as its SQL database, protocols like SSH. Not things Duqu and Stuxnet were using," Thakur says.

Stuxnet and Duqu's creators were careful in hiding their tracks and not using any off-the-shelf tools, he says.

[ A day after researchers from Kaspersky Lab revealed that with the help of the security community, they had cracked the mystery of the programming language used in Duqu, researchers from Symantec announced they had discovered a new variant of Duqu -- the first one spotted since October. The first two were found in the wild in November 2010. See Duqu Alive And Well: New Variant Found In Iran. ]

Flame's modular architecture allows its developers to easily update and expand on its capabilities. That has led researchers to question whether it's related to recent attacks that wiped data from hard drives in the Middle East.

Whether Flame has the capability to "wipe" victim data is unclear as yet, but there may well be other modules out there for it, says Boldizsar Bencsath, assistant professor at CrySys. He says there also could be a Flame module for "wiping" data in an attack.

Symantec's Thakur says it's likely that the Flame toolkit can use a module to wipe out the hard drive.

Just how much damage Flame has actually incurred? Researchers say they still have a lot to learn about the malware. "How effective it has been remains to be determined, as there still have only been a small number of infections discovered and it will take some significant research time to deconstruct all of its capabilities," says Patrik Runald, director of research for the Websense Security Labs.

Meanwhile, Kaspersky has posted more details about the modules in Flame.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.