Global wave of Flame cyber attacks called staggering

May 28, 2012 by Nancy Owano report

(Phys.org) -- Kaspersky Lab has discovered complex malware that has been in operation for at least five years, collecting data from countries including both Israel and Iran. Kaspersky experts think the masterminds are state-sponsored but have come short of short of naming exact origins. The malicious program is detected as Worm.Win32.Flame by Kaspersky Lab’s security products. The UN International Telecommunication Union has worked with Kaspersky Lab in the investigation, which finds that individuals, businesses, academic institutions and government systems have been hit. The total number of targets is an estimated 600.

Iran has acknowledged Flame as a source of incidents. Iran's National Computer Emergency Response Team has posted a security alert stating Flame behind recent incidents of data loss. Other countries affected by the attack are , Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Flame is considered extraordinary. Move over Stuxnet, which struck . Step aside Wiper, deleting information in Western Asia. Later for Duqu, infiltrating networks to steal data. This is called “one of the most complex threats ever discovered,” according to . Flame is a backdoor, a Trojan, and it has worm-like features. It can replicate in a local network and on removable media on command. The chief malware expert Vitaly Kamluk at Kaspersky explains that Flame goes to work to siphon off sensitive information, by first sniffing network traffic, taking screenshots, recording audio conversations via microphone, compressing it and sending it back to the attacker, and intercepting the keyboard. Once the initial Flame malware has infected a machine, more modules can be added to perform specific tasks, as if adding apps to a smartphone. Kamluk says he is convinced that this is sophisticated work enabled by “nation-state” sponsorship.

The Malware code is 20 times larger than Stuxnet. The Flame package of modules is reported as huge, at 20MB when fully deployed. Flame is huge because of what it includes--libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua (a scripting language) virtual machine. Many parts of Flame have high order logic written in Lua with effective attack subroutines and libraries compiled from C++, according to Kaspersky Lab.

One computing professor from University of Surrey sees no reason not to agree with Kaspersky that Flame is massive, complex, and unusual. Prof. Alan Woodward said, like Stuxnet, Flame can be spread by USB stick but has “very unusual” data-stealing features. He likens the Flame malware to an industrial vacuum cleaner. Flame reaches out to any Bluetooth-enabled device nearby, for example. Flame is an extremely advanced attack, he said, and “is more like a toolkit for compiling different code-based weapons than a single tool.”

Kaspersky’s Aleks Gostev, chief security expert, said that Flame ”redefines the notion of cyberwar and cyberespionage.” He said that the malware was still stealing data. "One of the most alarming facts is that the cyber attack campaign is currently in its active phase, and its operator is consistently surveying infected systems.”

Explore further: LinkedIn membership hits 300 million

More information: www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

Related Stories

Kaspersky team reveals Stuxnet family of weapons

Dec 29, 2011

(PhysOrg.com) -- The Stuxnet cyber weapon that was designed to cripple control systems in Iran’s nuclear plant was just one of five weapons engineered in the same lab, and three have not been released yet. That is the ...

'Sabpab' Trojan seeks out Mac OS X

Apr 17, 2012

(Phys.org) -- Three compelling reasons that Mac loyalists say justify their love for Macs have been that Macs are 1) the prettiest computers around (2) ideal for any new-age brain that prefers visually rich ...

Potentially toxic flame retardants detected in baby products

May 18, 2011

Scientists are reporting detection of potentially toxic flame retardants in car seats, bassinet mattresses, nursing pillows, high chairs, strollers, and other products that contain polyurethane foam and are designed for newborns, ...

Shoplifters hit up Chrome Store for Facebook data

Mar 28, 2012

(PhysOrg.com) -- A cash-for-Facebook’s-“likes” hustle hanging out in Google Chrome Web Store has been discovered by Kaspersky Lab. The researchers first discovered extensions leading to the ...

Candle flames contain millions of tiny diamonds

Aug 18, 2011

(PhysOrg.com) -- The flickering flame of a candle has generated comparisons with the twinkling sparkle of diamonds for centuries, but new research has discovered the likeness owes more to science than the ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 28

Adjust slider to filter visible comments by rank

Display comments: newest first

Skepticus
3.7 / 5 (6) May 28, 2012
I am writing to J.K. Rowling for recommendation for a good owl.
kaasinees
2.3 / 5 (9) May 28, 2012
For mac and windows?
bottomlesssoul
1.8 / 5 (5) May 28, 2012
It doesn't take a national effort to write code like this. A single educated and determined author could do this in a few years. I bet the group that authored this is <10. Praise be to the amazing library of open source software one determined foe is like 10,000 authors.
TheGhostofOtto1923
2 / 5 (4) May 28, 2012
This reminds me - remember those anonymous guys? Whatever happened to them? Hard to be mischievous from a prison cell I guess.

Maybe they all got flamed.
Vendicar_Decarian
2.1 / 5 (7) May 28, 2012
The total number of targets is an estimated 600.

"It doesn't take a national effort to write code like this" - Foofie la poofie

pres68y
1 / 5 (2) May 28, 2012
If this secret "Flame" code has been detected, how did they get the source code for it? The article shows source code. Unless Kaspersky wrote it they could only see the object (compiled) code. Something seems fishy here.. or at least worm like. :-)
dub1
1 / 5 (1) May 28, 2012
@ pres68y, Kaspersky 'got' stuxnet and duqu as well. They seem to be the only antiviral/antimalware company exposing these threats. This flame, from kaspersly's own blog seems older. I share your skepticism.
dub1
2.6 / 5 (5) May 28, 2012
The total number of targets is an estimated 600.

"It doesn't take a national effort to write code like this" - Foofie la poofie


Do it up yourself ace. Iknow, you pathetic bastard, you have a -tard for me. Think about this before you respond. You like these internets. You use them. That's all. Are you going to 6 or 7 in your name calling today?
dub1
1 / 5 (1) May 29, 2012
Multi-potential-exploits.
Norezar
3.7 / 5 (3) May 29, 2012
So an A/V company has a penchant for discovering malware and tomfoolery where nobody else has?

Totally not suspicious at all.
cyberCMDR
3.7 / 5 (3) May 29, 2012
Oh, you can trust them. They're from Russia after all.. ;-)
Vendicar_Decarian
2.4 / 5 (5) May 29, 2012
Reading is fund-a-mental.

"Many parts of Flame have high order logic written in LUA" - article

"If this secret "Flame" code has been detected, how did they get the source code for it?" - Foofie la Poufie
Vendicar_Decarian
2 / 5 (4) May 29, 2012
A mass of irrational, conflicting impulses.

"Do it up yourself ace. Iknow, you pathetic bastard, you have a -tard for me." - Dub1

"Are you going to 6 or 7 in your name calling today?" - Dub1

Logic is a wreath of pretty flowers that smell bad.

Are your circuits registering properly? Your ears are green.
rah
2 / 5 (4) May 29, 2012
Not even a hint of which state it might be? Probably not a state at all, but a country! Why would Montana (for example) do such a thing? California maybe. It sounds a bit too well executed to be the US. Chiner? Most likely, eh?
antialias_physorg
4.5 / 5 (2) May 29, 2012
This reminds me - remember those anonymous guys?

They seem to be alive and well (and active). But their internet pranks are far less sophisticated than what is reported here. This is probably one reason why they say it has to be state sponsored. Anonymous, no doubt, comprises smart hackers - but this is way beyond anything that they have fielded.

Not even a hint of which state it might be?

China? Russia? the US? Those would be my three guesses. (Though I'm not sure why the US would want to infiltrate Israel. (But that part of the news may be a ruse - so who knows?)

how did they get the source code for it?

From what I read they disassembled it.

So an A/V company has a penchant for discovering malware

Counterquestion: who else? Would you feel more confident if a state agency released these news? And why would they? First rule of spying: if you know someone is spying: don't tell them you found them!
alfie_null
5 / 5 (2) May 29, 2012
Praise be to the amazing library of open source software one determined foe is like 10,000 authors.

Ad hominem against open source? Needless to say (to most people), overwhelming amounts of good have come from it. This WWW, for instance.
Jimbaloid
5 / 5 (3) May 29, 2012
...how did they get the source code for it? The article shows source code.


I understand you were being a little 'tongue in cheek' about this, but anyway, the source shown is a bit of LUA script and the article explains that Flame has LUA support. So the code shown will have already been in source form (a script), possibly encrypted, maybe even as plain text.
antialias_physorg
not rated yet May 29, 2012
You're right...just checked the documentation for the LUA scripting language and that does indeed look like it.
mistermixvegas
1 / 5 (1) May 29, 2012

F.l.a.m.e.

Furious Lover Against Middle East

I guess :)
gwrede
1 / 5 (1) May 29, 2012
China? Russia? the US? Those would be my three guesses. (Though I'm not sure why the US would want to infiltrate Israel. (But that part of the news may be a ruse - so who knows?)
Agreed. And of these, I don't think China cares what's going on in the Middle East. Russia is trying to be non-aversive against them. So that leaves the U.S.

The U.S. have a long and persistent history of espionage and covert operations. Their three-letter bureaus have easily the resources. No other country harbors enough interest in some men walking around in sand in their bathrobes. -- Except Israel.

While I have nothing against the Jews I know, I really think Israel as a country certainly is ruthless, remorseless, unscrupulous and has the technology and human resources for this kind of activity. And, they certainly would use Flame "against themselves" as a ruse. No question.

Why Kaspersky? Because they're not afraid of a half-dozen black SUVs arriving, they know Yanks wouldn't dare inside Russia.
Skepticus
3.7 / 5 (3) May 29, 2012
While I have nothing against the Jews I know, I really think Israel as a country certainly is ruthless, remorseless, unscrupulous and has the technology and human resources for this kind of activity. And, they certainly would use Flame "against themselves" as a ruse. No question.

Count yourself lucky that you didn't get any thing more explosively damaging than a 1 rating on P.O when you question the sanctity of God's chosen representative.
kaasinees
2 / 5 (4) May 29, 2012
Anonymous, no doubt, comprises smart hackers - but this is way beyond anything that they have fielded.

Anonymous is an idea not a group which you can say what it comprises of, anyone can be anonymous.
Also smart hackers? Most of these people are wannabe script kiddies. Sure they are "smarter" than the average person and there might be a small group of people who actually know what they are doing and program a few tools.
That is how the amateur "hacker" scene works on the internet anyway. I wrote a few tools for "hacker" forums myself. Also made a few trojans to spy on some people, hacker a few games that were packed and virtualized. Its not that hard to do for a real computer scientist but most of them aren't and have no clue about anything.
gwrede
3 / 5 (2) Jun 02, 2012
Seems I was right, if we assume Stuxnet and Flame are from the same source, which makes sense.

PhysOrg writes it was the U.S. and Israel, together.
TheGhostofOtto1923
1 / 5 (1) Jun 02, 2012
Anonymous is an idea not a group which you can say what it comprises of, anyone can be anonymous.
No, most likely it was a funnel for enticing troublemakers (like you maybe?) and getting them to expose themselves so they could be neutralized and/or put to good use while learning a great deal about offense and defense. This is only prudent.
kaasinees
2 / 5 (4) Jun 02, 2012
Anonymous is an idea not a group which you can say what it comprises of, anyone can be anonymous.
No, most likely it was a funnel for enticing troublemakers (like you maybe?) and getting them to expose themselves so they could be neutralized and/or put to good use while learning a great deal about offense and defense. This is only prudent.

And what makes you think i am a trouble maker?
Anonymous are mostly amateurs, people who can actually write hacking tools dont easily go to such people.
Its common sense that these kinds of places are monitored actively by FBI and CIA.
Vendicar_Decarian
1 / 5 (1) Jun 03, 2012
F.l.a.m.e. = Filthy Lowlife AMEricans.
Husky
not rated yet Jun 03, 2012
Not surprised victims were found to be in israel as well, could have been to some "in house" testing before you throw it into the wild. Also there could be some watergate scandal brewing in israel, if you have a tool to spy on the arabs and the persians, why not use it to spy on opponent political parties as well?. And Russia has its own political agenda for exposing these probable us-isr cyberweapons.
Husky
not rated yet Jun 03, 2012
flame could rever to the burning bush that god used as a proxy server to talk to mozes, but i am sure explanations could be made up to tie it to the chinese or even Paraguys for that matter.

Anyway, its very common that programmers despite encrypting their stuff cannot help but to put some easteregg or cryptic credits in there.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...