A cyber weapon grade piece of malware, some twenty times the size of Stuxnet, has apparently been fired at a number of countries in the Middle East. This highly complex piece of code which takes screenshots of any open 'programs of interest' such as email or IM, records audio and sends large volumes of compressed sensitive data back to base, was uncovered thanks to research from Kaspersky Lab and the International Telecommunication Union (ITU). Described as being far more functional and far more complex than previous nation-state sponsored attacks such as Stuxnet, Flame has been found to be actively deployed within Egypt, Iran, Israel, Lebanon, Saudi Arabia, Sudan and Syria so far.

dweb-flame Perhaps the most surprising piece of information that has emerged about this cyber weapon is that it appears to have been first fired some two years ago in 2010. At present, however, there are no clues as to which nation-state is behind the worm. That is if it is, indeed, a state-sponsored attack at all. The chances do appear high that it is, given the complexity of the code and the fact that this isn't some bank login scraping affair or something that delivers a denial of service or site defacement payload. So if we rule out the organised cyber-criminal gangs and the political hacktivists, that only really leaves the nation states. It has been suggested that there are 'similarities' with Stuxnet in the code design itself, but at this moment in time whether this points to Flame and Stuxnet being weapons from the same cyber-armoury is open to much debate within the IT security industry.

What is known for sure is that Flame has been very specifically targeted at particular computer systems within the countries where it has been found, rather than launched in a blunderbuss fashion.

Flame itself was discovered by accident, which makes it even more 'impressive' from a technical viewpoint. This worm has been active in the wild for two years, is a complex piece of code that makes Stuxnet look truly simplistic, yet has gone undetected until now. Researchers at Kaspersky Lab only stumbled across it while investigating a particularly destructive piece of malware known only as 'Codename Wiper' at this point in time, malware that was deleting data on computers in Western Asia. Wiper has still not been tracked down, but the researchers spotted another piece of unknown malware during their analysis of the attack logs, and this turned out to be Flame.

Eugene Kaspersky, CEO of Kaspersky Lab, says “the risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Kaspersky Lab’s experts are continuing to reverse engineer the multiple modules made up of several megabytes of executable code that comprise Flame in the hope to reveal more details of the threat, including possibly more clues as to the origin of this super cyber-weapon. At the moment though the answer to the who fired Flame question is unknown, and that may remain the case.

To find out more about Flame, including details of how the LUA scripting language, extended and interfaced with C code, has been used with many parts of the worm having high order logic written in LUA with effective attack subroutines and libraries compiled from C++ visit the Kaspersky Lab Flame FAQ.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

An interesting development:

"Hungarian researcher Boldizsar Bencsath, whose Laboratory of Cryptography and Systems Security first discovered the Duqu cyber weapon, said his analysis showed Flame may have been active for at least five years and perhaps eight years or more" according to a report from PC Pro magazine.

That would pre-date Stuxnet and, if true, makes the whole Flame story even more interesting. Of course, the simple fact of the matter is that even if Flame does prove to have been active for five years or more it doesn't necessarily make it the most complex nor most succesful state-sponsored worm in history. That accolade will probably go to something we will never hear about, that will never be discovered. And that's what is. perhaps, most worrying of all...

Also interesting to consider that Flame is around 20Mb in size, and includes livraires for compression, database management and a LUA virtual machine amongst other things. It's a very complex, and very large, package of assorted modules - much larger than most (if not all) worms to have surfaced so far. Reserachers at Kaspersky think the attack toolkit is so large, and not written using compact programming languages, as a deliberate tactic rather than through simplistic development processes. While you might expect malware to be made small so as to be easily hidden, it appears that the Flame developers have gone for the polar opposite: concealment of the naughty stuff through the use of large amounts of code.

And more: "Conflicting conjecture and confusion over the ‘ownership’ of the detection is muddying the waters. According to the Iran National CERT they had detection (but not removal) for the malware ESET calls Win32/Flamer.A in early May, but Kaspersky claims it’s been in the wild since March 2010: however, it seems to be the same malware threat the Laboratory of Cryptography and System Security (CrySyS) in Budapest calls sKyWIper (which they believe may have been active for 5-8 years or even longer). " - David Harley, senior researcher at ESET

Initial SkyWiper analysis document (warning - opens PDF) here.

The 'chief security expert' at Kaspersky Lab, Alexander Gostev, has expanded upon the functionality of Flame at a technical level now, and rather importantly, provided the information required in order to perform a detailed check to see if you are infected (unlikely unless you are a Middle Eastern government agency, but you never know). More here