There has been a great deal of conversation about Flame recently – a virus which is correctly being classified as the most impressive piece of malware discovered to date. The word ‘discovered’ is important as we do not really know how many ‘hybrids’ of Flame are also out there. If you were to write a wish list of characteristics for a cleverly intrusive, secretive information gathering piece of malware, then Flame would cover all aspects.
The fact that it can gather personal files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots, log instant messaging chats and cover its own tracks so neatly makes it very impressive. That said, all these vulnerabilities have been known for some time – in fact professionals such as myself place black tape over the webcam when we are not using it.
We have known for a long time about the threat of intrusive webcam hacks and of course the other separate information gathering tools in Flame, however no malware to date has so expertly compiled all of these attack vectors into such a single system with such success.
This virus poses huge threats. It can be distributed via removable networks and local area networks. It can snoop on a network, detecting network resources, and collecting lists of vulnerable passwords as they pass by over that network. It can capture the contents of any fields filled out, even when obscured by asterisks or dots (e.g. password fields). It can scan disks of an infected system seeking specific content.
It can perform screen captures of the infected machine when specific programs are running and it can activate a microphone and record over a long period of time any sounds in the environment. It can overcome the security of Skype calls by such a process. This really is significant and all of the data captured is saved in a local database which it is able to encrypt and transfer back to control servers, bypassing all known antivirus detection, antimalware and other security software.
There are some indicators which point to government involvement including the fact that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet. Stuxnet of course is the well known computer worm which included a highly specialized malware payload designed to target only supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.
These SCADA systems were used in Iran’s uranium enrichment program. Recently, what has long been suspected has come to light – that the U.S. and Israel crafted the Stuxnet computer worm to attack Iran’s uranium enrichment program. There are similar traits in the Flame malware but many agree that there are also too many differences in this sophisticated software to make a direct link between the makers of Stuxnet and Flame.
The sophistication of many aspects of it could be said to point to state involvement but it is a little early to tell. This software is 20MB whereas Stuxnet was only about .5MB. It really is has its own complete database architecture. The actual name Flame comes from one of the attack modules located at various places in the malware code.
This malware is a platform which is capable of receiving and installing various modules for different goals. In fact not one of the 40+ tested antiviruses could detect any of the malicious components. That again points to an incredible sophisticated system which could not have been developed by a small group of individuals.
What we can say is that the beauty of the pervasiveness of the Internet is also its weakness. Once a computer is connected to the Internet, it for all intents and purposes is a potential target. There is no such thing as a secure network. It you wish to remain secure then do not own a computer…