Behind the 'Flame' malware spying on Mideast computers (FAQ)

With possible ties to malware targeting Iran, the Flame spying software is seen as the latest cyber espionage attempt from a nation state.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
8 min read
The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread.
The new Flame malware that has infected computers in Iran and the Middle East is named after one of the main modules it uses to spread. Securelist

The Flame worm that has targeted computers in the Middle East is being called "the most sophisticated cyberweapon yet unleashed" by Kaspersky Lab researchers who discovered it. Lurking on computers for at least five years, the malware has the ability to steal data, eavesdrop on conversations, and take screen captures of instant message exchanges, making it dangerous to any victim. But a possible link to malware found on computers in Iran's oil sector has experts saying it's got to be the work of a nation-state.

CNET talked with Roel Schouwenberg, senior researcher at Kaspersky, the company that uncovered the malware, to find out who is behind it and how dangerous it really is.

What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting.

The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee's technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as "sKyWIper."

"Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit," Schouwenberg said. "We assume that we don't have all the modules that exist in the wild."

How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It's unclear what the initial point of entry is. "We expect to find a spear phishing e-mail with a Zero-Day exploit," Schouwenberg said.

Since we first published this FAQ, Microsoft has revealed that Flame gained a foothold by spoofing one of the company's own security certificates. Specifically, the virus tapped into rogue certificates for Microsoft's Terminal Server that appeared to be signed by the company and were therefore seen as legitimate. Microsoft has released security advisory describing the steps it's taking to remove the risk, including the issuance of a Windows patch to fix the security hole.

How long has Flame been around?
"We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that," Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National's International Telecommunication Union for help in uncovering malware dubbed "Wiper" that was stealing and deleting sensitive information on computers in Iran's oil sector.

How does Flame relate to Wiper?
"Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental," Schouwenberg said. "So, we have an open mind to Wiper being a Flame plug-in." Iran's National Computer Emergency Response Team (CERT), which is called "Maher," said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran "could be the outcome of some installed module of this threat," the center said, speculating that attacks in which data from Iran's gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.

Why wasn't Flame discovered earlier? Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. "Clearly it's another multimillion-dollar project with government funding, so one of the top priorities has been stealth," Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn't look malicious at first glance. "Flame authors have adopted the concept of hiding in plain sight," he said. Because Flame doesn't use a rootkit technology, free anti-rootkit tools won't be able to detect it. "Finding it is going to be more complicated," according to Schouwenberg.

Who created the malware?
It's unclear who wrote and distributed the malware, but Schouwenberg said researchers believe it was a nation-state or someone hired by a nation-state because of the advanced nature of the threat. Just because the code is in English does not mean that an English-speaking country is behind it, he said when asked if he thought the U.S. and/or Israel are behind this malware as is believed with Stuxnet. Meanwhile, liberal Jewish blog Tikun Olam cites an unidentified "senior Israeli source" as confirming that Israeli cyber warfare experts created Flame to "infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel's secret police including military intelligence."

Is it related to Stuxnet and Duqu? Flame shares some characteristics with two previous types of malware that targeted critical infrastructure systems and which used the same technology platform: Stuxnet and Duqu. Schouwenberg thinks the same entities are behind Flame. For instance, Flame and Stuxnet both spread via USB drive using the "Autorun" method and a .LNK file that triggers an infection when a directory is opened. Flame also can replicate through local networks using a Windows-based shared printer vulnerability that was exploited by Stuxnet as well. Kaspersky hasn't uncovered Flame using any previously unknown vulnerabilities, called "Zero-Days," but since Flame has infected fully patched Windows 7 systems through the network, there may be a high-risk Zero-Day being exploited. "We are operating under the assumption right now that basically Flame and Stuxnet were two parallel projects commissioned by the same nation-sate or states. The Stuxnet platform was created by one team or company and Flame by another team or company, and both teams had access to this common set of exploits," he said. Flame is 20 times larger than Stuxnet, which was previously believed to be the most sophisticated piece of malware ever.

How serious is this?
Kaspersky researchers believe there is much more to Flame than they know now. "We operate on the assumption there are other modules we don't know about, which could elevate Flame from cyber espionage to cybersabotage," Schouwenberg said. "Given the conservative method of spreading, we assume that the vast majority of infections we are seeing are intended targets ... The amount of manpower required to maintain this operation is very significant. Flame uses more than 80 C&C (Command and Control) servers, which we haven't seen before. This shows the amount of resources committed to this project."

Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by "Israel/Palestine," Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in "the Palestinian West Bank, Hungary, Iran and Lebanon." "With Flame, we haven't been able to say what binds all the targets together other than that they are in the same geographical region," Schouwenberg said. "We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don't know what type of data has been stolen." Victims include educational institutions, state-related organizations and individuals.

How widespread is Flame?
So far there are only estimates as to how widespread Flame infections are. Kaspersky researchers have seen between 300 and 400 infections on customer computers reporting back to them, but researchers speculate there could be more than 1,000 infected computers worldwide. Most of the infections are in Iran and other countries in the Middle East. There are a few in the U.S., and Schouwenberg said those could be due to someone in the Middle East using a virtual private network based in the U.S. to circumvent Internet filters in that country as opposed to genuine infections on U.S.-based computers. "We're looking into sinkholing (taking control of) some of the Command and Control servers and getting data from there to have a more accurate reflection of infections," Schouwenberg said.

Here are the countries with the most Flame infections discovered by Kaspersky.
Here are the countries with the most Flame infections discovered by Kaspersky. Securelist

Does it affect me?
Most of the major antivirus software now detects Flame, so updating your security software will protect you. Kaspersky also has offered tips for manually removing the malware. The software is not designed to steal financial data and does not seem targeted at consumers, so chances are your computer is safe.

What does this all mean?
While Flame represents another sophisticated cyber espionage attack, it's not exactly a harbinger of cyberwar. Countries have been conducting cyber espionage for years, but it wasn't until Stuxnet, with its links to the U.S. and Israel, that a Western country was fingered by researchers. Stuxnet is believed to have been designed to sabotage Iran's nuclear program after diplomatic and other efforts had failed. That said, Flame does show that sophisticated attacks on critical infrastructure are happening, and succeeding. "The good news is that like Stuxnet, Flame appears to be highly targeted," Eric Byres, chief technology officer and co-founder of Tofino Industrial Security, writes in a blog post. "But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware."

"You could call it military-grade malware, which is obviously a class above (other malware) and generally these are covert operations so remaining stealth is top-most priority," Schouwenberg said. "In the end, it was anti-malware that found this type of attack."

Editors' note: This FAQ was originally published May 30 at 2:40 p.m. PT. It has been updated since then with additional information, including on May 30 the Tikun Olam report of a source saying that Israel is behind Flame, and on June 4 with with details on Microsoft's security advisory to address the spread of Flame through rogue Microsoft security certificates.