Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.
But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:
- Distribution via removable medias
- Distribution through local networks
- Network sniffing, detecting network resources and collecting lists of vulnerable passwords
- Scanning the disk of infected system looking for specific extensions and contents
- Creating series of user’s screen captures when some specific processes or windows are active
- Using the infected system’s attached microphone to record the environment sounds
- Transferring saved data to control servers
- Using more than 10 domains as C&C servers
- Establishment of secure connection with C&C servers through SSH and HTTPS protocols
- Bypassing tens of known antiviruses, anti malware and other security software
- Capable of infecting Windows Xp, Vista and 7 operating systems
- Infecting large scale local networks
All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.
But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.
According to an article on The Register, Flame has the following features:
- It has been active for at least 2 years, but possibly 5-8 years
- Contains exploits for known and fixed vulnerabilities
- Uses open source libraries
- Uses a SQLlite database
- Uses some Scripts written in Lua (of Angry Birds fame)
All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.
The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.
As according to Symantec:
“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”
I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.