by Constantine von Hoffman

Meet Flame, the Ebola Virus of Malware

May 30, 20123 mins
CybercrimeData BreachMalware

What's bigger and more complex than Stuxnet or Duqu; scarily efficient at stealing information; only found in the middle East and created by a government, likely a Western one? The Flame malware, of course.

Kaspersky Labs has discovered a particularly nasty new malware strain, dubbed Flame, which is to ordinary malware as the Ebola virus is to a cold.

“The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date,” according to Kaspersky.

The researchers, who I’ve never known to be alarmist, say it is in the same category of super-cyberweapons as Duqu and Stuxnet. Few specific details are known about it right now (some say it will take years to untangle) but we do know it’s written in the same language used by Angry Birds. Seriously.

Here’s what else is known (or surmised):

  • It’s designed to carry out cyber espionage.
  • It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and audio conversations.
  • It can replicate over local networks using several methods, including the same printer vulnerability and USB infection method used by Stuxnet.
  • “One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals.” — Alexander Gostev, chief security expert at Kaspersky Lab
  • It was designed by a government.
  • It’s only known to be active in the Middle East. So far it is targeting systems in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. So, it’s from a government with interests in the Middle East. That limits the suspect list to … everyone. That said, F-Secure believes it to be from a Western government because of “a clear difference in how online espionage is done from China and how it’s done from the West. Chinese actors prefer attacks targeted via spoofed e-mails with booby-trapped documents attached. Western actors seem to avoid e-mail and instead use USB sticks or targeted break-ins to gain access.”
  • It’s really big: Over 20MB. The reason it “is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.”
  • Lua is the same language used to write Angry Birds, and malware written in Lua is very unusual.
  • It’s been out there for a while. According to Kaspersky it has definitely been active since 2010. Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) say it might have been out since 2004. Kaspersky won’t go that far but does say it is highly likely that Flame has been active for more than just a couple of years.
  • It is a beast of many names. CrySyS ID’d it as “SkyWiper” and the Iran Maher CERT group calls it “Flamer.”
  • So far no antivirus programs can detect it. However, Iran’s CERT says they created a detector which was delivered to selected organizations and companies in May and that they have also developed a removal tool.
  • As far as we know it hasn’t yet infected very many computers. As Naked Security notes, it’s only been found on a few hundred computers.

Check out the following sites for additional information: