Flame: Klunky Primate of the Next Stage of Evolution of Advanced Malware
This week the security blogs have been abuzz about Flame, the newly discovered malware that appears to be geographically targeted at Iran, Lebanon, Syria, Sudan, and other countries in the Middle East and North Africa. Security analysts are infatuated by the “massive, highly sophisticated piece of malware”, and are likening it to Stuxnet and DuQu.
I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.
In fact, IBM’s X-Force analysis concludes that, “At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.”
Stuxnet was a new breed of threat, created as a cyber weapon to serve the goals of a government or alliance. It was sophisticated and keenly targeted. Duqu was a cousin with a slightly different purpose–to gather intelligence–although still targeted at industrial control systems. Flame does not appear to share the same code base and is not targeted at any particular industry. You can read all about its capability to capture screenshots, turn on the microphone or video camera on computers and laptops, and other features elsewhere; there’s no need to clutter up the internet with redundant descriptions.
Flame may not share the same ancestry, but it’s just another piece of malware with a primary purpose of cyber espionage. It also looks like it’s extendable via plug-ins. When you gather all the modules that comprise Flame, it encompases 20 megabytes. Stuxnet, by comparison, was one-half of a megabyte. In many cases software goes through an optimization stage in its development, particularly for drivers, code that has strict performance or size requirements, or other specialized runtime requirements–like stealth. Stuxnet and DuQu were compact and efficient; whereas, although Flame has a broader purpose, it most likely has not been subjected to a rigorous optimization effort. This suggests a general-purpose application rather than a targeted weapon. So maybe the cyber criminals have taken a lesson from Stuxnet, and Flame is intended for black-market hire like most botnets, with plug-ins tailored for all sorts of nefarious objectives.
Flame was discovered almost two years after Stuxnet, but there’s speculation that they may have been under development in parallel. Files with the same names as those found in Flame were discovered on machines as early as December, 2007, and April, 2008. There are many possibile relationships between Stuxnet and Flame that begin before the pubic became aware of either. There are underground forums for malware developers and it’s entirely possible that the architects of both Stuxnet and Flame frequented those venues, where the ideas for both were sparked, perhaps in tandem, or they may have collaborated on challenges as anonymous peers with one effort predating the other.
Regardless of their possibly divergent parentage–a government project and a framework for cyber crime–their development timeline, and their narrow or broad purposes, Flame is not a game-changer. We learned the lessons from Stuxnet and they apply directly to Flame. It’s a good reminder that DuQu wasn’t the last of its kind, but now it’s time to carry on, albeit with a newly heightened sense of awareness, and get back to business.