Usually when you find a virus on your computer you probably think of it as something you have to fix, but beyond that you don't really give it too much attention. You don't really think to yourself that the virus has anything to do with you. How would you feel if the virus were not only meant for you but also designed to specifically get to your personal or work-related information?
Late May 2012 reports started circulating about a new type of malware called “Flame” or “Flamer”. This malware, which the Security in a Box manual describes as “A general term for all malicious software, including viruses, spyware, trojans, and other such threats”, was notably atypical, and a careful look at its unique characteristics make it an important case study for anticipating what the next stage of malware might look like.
- Size (6-20MB). For anyone who has ever coped with a really slow internet connection while trying to send that 5MB document as an attachment, imagine the number of failed attempts to disseminate a file of 20MB. Considering the reality that computer viruses smaller than one-hundredth of the size of “Flame” have done vicious damage worldwide, at first glance it seems like a logistical oversight to make this malware so large—but that is if we are assuming the point of “Flame” is to proliferate quickly.
- Proliferation Speed (or rather, lack thereof). It is calculated that there were only about one thousand infections worldwide. Researchers mapping the infections realized most are in Iran, Lebanon, Sudan, the occupied Palestinian Territories and other parts of the Middle East.
While on the surface, Flame might be assumed to be an amateur project that failed to proliferate as intended, instead it seems to have been created by highly educated, well-trained, and well-funded professionals: once security firms like Kaspersky, Symantec, and F-Secure; The Iranian Computer Emergency Response Team Coordination Center MAHER; and companies like OpenDNS, Microsoft and others started talking publicly about Flame, the malware was ordered to shut itself down and deleted itself from computers. At the same time, antivirus software was quickly updated to remove Flame. Within two weeks of publication, the malware the command and control infrastructure started removing its traces from infected computers. It seems that there was somebody watching who and what Flame was doing. While we don't know who was controlling Flame at the time of the shutdown, according the Washington Post and New York Times, Flame was created by the governments of United States and Israel.
There seems to be little enough danger that another Flame can be built without massive support. However, the methods Flame used are likely to be studied and implemented by others at lower cost, and when the cost gets lower it is quite possible that malware like this can be used for other kinds of surveillance. Flame was specifically designed to get around the practices, organizations and individuals put in place to protect their data. Instead of being used as a weapon between countries, the lessons learned from Flame can be used by criminals for their activities, but it could also be used by state-actors for internal monitoring of political dissent.
This type of malware is dangerous enough to cause Mikko Hypponen, Chief Research Officer of F-Secure to write:
“The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose.”
The discovery of this particular malware is a game-changer, as it is exploring ways to track and calculate activity rather than malware that has a somewhat sloppy goal to cause as much disruption as possible. This discovery should urge increased study and awareness of these types of attacks, since they fall outside of the scope of the majority of “best practices” used for computer protection. We, as individuals or organizations, don't need to panic, but we have a really good incentive to prepare ourselves better.
- “Flame Malware Statistics” image is copyright © 2006-2012 OpenDNS Incorporated. All rights reserved. Used, with permission, from “Unique insight into Flame malware”
For further reading
- Wikipedia: Flame (malware)
- Security in-a-box Glossary: Malware
- New York Times: Obama Order Sped Up Wave of Cyberattacks Against Iran
- Wired: Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers
- Computer World: Development timeline key to linking Stuxnet, Flame malware
- Wired: Obama Ordered Stuxnet to Continue After Bug Caused It to Spread Wildly
- OpenDNS: Unique insight into Flame malware
- Wired: Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
- Wired: A Massive Web of Fake Identities and Websites Controlled Flame Malware
- Wired: Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code
- Ars Technica: "Flame" malware was signed by rogue Microsoft certificate
- Ars Technica: Iran-targeting Flame malware used huge network to steal blueprints
- Ars Technica: Flame malware hijacks Windows Update to spread from PC to PC
- Ars Technica: Flame malware wielded rare "collision" crypto attack against Microsoft
- Wired: Sen. Feinstein Calls for Hearing on Stuxnet Leaks as FBI Begins Probe
- Ars Technica: Flame's "god mode cheat code" wielded to hijack Windows 7, Server 2008 (Updated)
- Ars Technica: Crypto breakthrough shows Flame was designed by world-class scientists
- Ars Technica: Flame espionage malware issues self-destruct command
- NPR: How 'Flame' Malware Hijacks A Computer
- Ars Technica: Microsoft contains Flame with Windows Update revamp
- Wired: Researchers Connect Flame to US-Israel Stuxnet Attack
- Ars Technica: Discovery of new "zero-day" exploit links developers of Stuxnet, Flame
- Forbes: New Research Shows Flame Malware Was Almost Certainly A U.S. Or Israeli Creation
- Ars Technica: Microsoft overhauls certificate management in response to Flame PKI hack
- Forbes: To Spy On Offline Computers, Flame Malware Was Designed To Turn Humans Into 'Data Mules'
- Ars Technica: Flame's crypto attack may have needed $200,000 worth of compute power
- Forbes: New Grad Looking For a Job? Pentagon Contractors Post Openings For Black-Hat Hackers
- Network World: Stuxnet cyberattack by US a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says
- Washington Post: U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say
- Ars Technica: Confirmed: Flame created by US and Israel to slow Iranian nuke program