Like any super-villan there are super-viruses, and in a time where the internet and the free-flow of information becomes more and more prevalent, super-viruses will emerge. Today, we have met one of those super-viruses dubbed “Flame” which is designed to infect a computer, steal information, and even use your computer’s microphone and web camera to collect information about the user!
Some theorists are saying this virus was cooked up in some super-power’s espionage think-tank while others think it is the intricate workings of a hacker leaving behind a legacy. There are 2 things that are crystal clear: 1 – This virus specifically targets key countries; 2 – this virus gathers intelligence. You are free to form your own conclusions.
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown – we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
Flame is a huge and complex package of modules comprising almost 20 MB in size when fully deployed (that is 20,000,000 characters of instruction code). Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.
There are many different timers built-in into Flame. They monitor the success of connections to the C&C, the frequency of certain data stealing operations, the number of successful attacks and so on. Although there is no suicide timer in the malware, the controllers have the ability to send a specific malware removal module (named “browse32”), which completely uninstalls the malware from a system, removing every single trace of its presence.
Yesterday Kaspersky updated their bulletin that the Flame malware is the same as “SkyWiper”, described by the CrySyS Laband by Iran Maher CERT group where it is called “Flamer”.