Flame malware, from genesis to the plot theory

Pierluigi Paganini May 30, 2012

In this article I desire to discuss about many personal doubts and beliefs regarding the Flame malware, first my idea that we are facing with a new powerful cyber weapon.

In the same hours  the Iranian Computer Emergency Response Team Coordination CenterLab,   CrySyS Lab and Kaspersky Lab have published news regarding the new malware that has been detected and that have hit mainly Windows systems of Middle East area, specifically the Iran.

This first information let me think that behind the development of what has been defined “very sophisticated cyber weapon” there is Israel or a Western Country.

Moshe Ya’alon, Israel’s vice premier,rejects every accusation by defining speculation the news that indicate Israel as responsible. But this is a story already seen in the Stuxnet case, all denied meanwhile intelligence and military experts have reported that Stuxnet was tested at the Dimona nuclear complex in Israel in a joint U.S.-Israeli effort to undermine the Iranian program.

“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them.”

Richard Silverstein on Israel’s liberal Tikun Olam Web site under the headline “The country that brought us Iranian nuclear assassinations, explosions at Iran missile bases, and Stuxnet, is at it again,” wrote :

“Israel’s new contribution to Middle East cyberwar.”

“The goal is apparently to infiltrate the computers of individuals in Iran, Israel, Palestine and elsewhere who are engaged in activities that interest Israel’s secret police, including military intelligence,”

suggesting Israeli intelligence might even be using the worm to spy on its own citizens.

I define erroneously the malware as “new”, but the experts are convinced that it is datable to 2010, exactly the same period of the predecessor Stuxnet. Both malware appear to be very dangerous cyber threats but the complexity of Flame has no precedents.

Genesis of malware

This first information let and arouses many questions, why two malware so innovative and profoundly different, circulated in the same period to hit Iran?

The researchers of the several teams that are investigating on the discovery believe that the two agents were developed by different groups of experts with completely different development techniques and related to totally different projects. Flame is considered more complex due its intelligence features, but both are modular software.

I have hypothesized the following scenarios:

  • Two separate development groups sponsored by hostile governments have decided to adopt a cyber military option, to steal information of the target and in a second phase attack it.
  • The same government or coalition of states has decided to unleash a powerful attack against Iran’s nuclear program, attacking on several fronts the country with Stuxnet as a powerful distraction to keep hidden over time agents such as Duqu and the new Flame that could be used for information gathering but also ready to became attacks

Viewing the source code

Very interesting is the composition of the Flame source code, written in C++ and Lua, that has been published on different web site.  The total size of the package is almost 20 MB including many different libraries and a LUA virtual machine.

The size is really significant for a malware, and it justified by the large number of features provided, but how is it possible that an agent of this size has eluded so many years the leading manufacturers of security systems?

Why has been used Lua and which info can we derive from its usage?

To the first question I have no answers, personally I believe it’s incredible how long the malware has been invisible to the security word. For at least two years experts from around the world, following the Stuxnet case, have failed to isolate the malware despite the world community was on alert. The malware as we shall soon was recognized as a powerful tool for cyber espionage, unusual in its composition by size and complexity, qualities that would make it extremely noisy. Consider also that the antivirus industry evolves daily to respond to cyber threats, however Flame malware remained transparent to them, a sign that it has changed over time with security systems, remains lawful why do not we have heard about it before.

Regarding Lua, its usage let me believe that the developer have great skill, the choice of the scripting language is mainly motivated by the following factors:

  • Complete portability of the source code and simple integration with C and C++ languages.
  • It is a dynamic programming language.
  • The Lua virtual machine is extremely compact, less of 200Kb.

All this characteristics let me thing that we are facing with an ongoing project, open to the development of new module, maybe with offensive purpose, and portable, this means that in the future it will be available new offensive modules that could address different platform, not only Windows machines.

Response of Security Firms and antivirus supplier

Despite the complexity of the agent, the principal antivirus supplier have immediately worked to the development of a removal kit,  Bitdefender released a tool to find and remove the Flamer attack toolkit (Download the 32-bit or the 64-bit removal tools).

Catalin Cosoi Bitdefender’s Chief Security Researcher declared:

“Flamer is the scariest cyber espionage tool we’ve yet seen. It goes places where other spyware doesn’t go, retrieves information others don’t retrieve, and ensures the infected computer has no privacy whatsoever,”

“Luckily, the Bitdefender removal tool makes it easy to eliminate from your computer.”

Rumors of a plot

According to some experts the announcement of the malware detection was first provided by Kaspersky Lab researchers but Iran claims the discovery, anyway ready was the response of the leading manufacturers of security systems. This information together with the one related to malware dating on 2010, would be to think that the majors security companies were aware of the project Flame and have been silent for agreements with Western governments. Just in the last months Western countries have decided to suspend the supply of antivirus systems to Iran for penalty forcing the country to develop its own antivirus system, maybe this development has rapidly brought to the discovery of the agent. If confirmed why the antivirus companies haven’t detected it before? Is it a coincidence?

As Kaspersky team declared the malware is datable on 2010 and it has been isolated only in Middle East area, no incidents have been reported to western critical infrastructures.

Why the cyber threat hasn’t impacted worldwide infrastructures in the last couple of years?

The possible impact on critical infrastructures

Now that the malware has been detected is correctly started a global alert on its possible impact on critical infrastructures. Flame is a powerful cyber espionage toolkit that could steal sensible information and that thank to its modularity could be instructed to attacks victims systems.

According the Reuters agency an United Nations (UN) agency official has expressed him concerns regarding the impact of the malware on critical infrastructures of member states. UN will provide a detailed alert on the cyber threat and the International Telecommunications Union (ITU) will also coordinate collection of virus samples.

“This is the most serious (cyber) warning we have ever put out,” said Marco Obiso, cyber security coordinator for the U.N.’s Geneva-based International Telecommunications Union.

“They should be on alert,”

Has Flame a direct impact on SCADA and ICS systems?

According to official reports, none of the instances identified shall be able to attack industrial control systems, however, concern is high due the complexity of the malware that could allow the agent to change its behavior simply by integrating a module written for the purpose. At this time Flame is a powerful tool for information gathering, there is no evidence that it has components to attack SCADA or ICS, this particular makes more similar it to Duqu that is known to steal information rather than destroying equipments.
The scalability of the malware is not something new, let’s remind a similar features in Stuxnet and Duqu.  Symantec reported that Flame appears to be the same worm that hit the Iranian Oil Ministry during the last weeks impacting its facilities at the Kharg Island terminal.

The cyber war is reality

Pierluigi Paganini


you might also like

leave a comment