Over the holiday weekend, security researchers started buzzing about a new piece of malware discovered in Iran. As the firms dig deeper in to the code, speculation has caused a flood of sensationalistic headlines in the news. Is all the hype worth it?
Flame (a.k.a. Flamer or SkyWIper), gained traction after Iran’s CERT (MAHER) identified it as the source of a series of cyber attacks against their energy sector. As such, they called it a direct continuation of the Stuxnet and Duqu attacks.
Additional information, in the form of a massive report from CrySys Lab [PDF], a Hungarian security team, outlined the operational features of Flame, including the ability to scan network resources, copy information and transmit it to a pre-determined source, AV detection (it scans for more than 100 security applications), and propagation via USB or LAN.
Flame appears to have remained hidden for some time, going undetected since its development in 2010. However, Webroot, another security firm working on better understanding its mechanics, said that they were detecting it as early as 2007.
Moreover, the fact that it can infect Windows XP, Vista, and Windows 7 platforms, has led some researchers to speculate that there is an unknown vulnerability being exploited in the wild.
“Analysis shows this to be an extremely stealth-like attack that appears to be benign, however deeper inspection reveals cleverly concealed malicious functionality,” Symantec said in a statement.
“The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.”
To date, Flame has been detected in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. The purpose, yet another throwback to Stuxnet and Duqu, is to collect information on the operations within the areas where it was discovered.
Major security firms such as Kaspersky, Symantec, and McAfee published their individual initial findings on Monday, mostly forming the same conclusions; Flame appears to be a directed weapon, and according to Kaspersky Labs, it is “one of the most complex threats ever discovered.”
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, said in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
So is all the hype around Flame worth it? Not according to Marcus Carey, a security researcher for Rapid 7, who is not only skeptical about the “worst ever” claims being made about Flame, he is hesitant to even buy into the claims that it is state sponsored malware.
“This new ‘discovery’ shouldn't change the day-to-day lives of security operations professionals,” he said.
“None of the methods of this malware are particularly new. I've seen an emphasis on Lua being something that makes this exploit kit something new, but the fact is that penetration testers have been using tools that heavily leverage the Lua programming language for the last couple of years. In software development it is common to re-use software to meet various goals. It doesn't make much sense to re-invent the wheel, so attackers, including 'state sponsored' use readily-available exploits and frameworks to meet their objectives.”
Another disturbing trend he has observed is the emphasis on if there is a zero-day vulnerability being used by Flame. The question that needs to be asked, he explained, is whether the tool works. “Effectiveness is the only thing that matters,” he explains.
Also, size is not an indication of advancement. Another aspect of Flame that has been discussed in the current news cycle is the size of the Flame malware itself – 20MB. It’s likely the largest malware sample on record with such a sinister ethos.
“Peiter Zatko of DARPA constantly reminds us that the average malware contains 125 lines of code, so I guess that anything beyond that is advanced,” Carey commented.