If you think Stuxnet and Duqu were bad, then brace yourself for the meanest of the bunch. A new malware has been discovered by Kaspersky Lab and it’s the most dangerous one yet.
Say hello to Flame, a complex malware which has been found to be infecting computers in the Middle East as well as other computers worldwide. It was believe to be a part of a conspiracy to perform cyber espionage in different parts of the globe. Flame is a very complex toolkit, more sophisticated than both Stuxnet and Duqu combined. The malware is both a backdoor and a Trojan while also having features similar to worms. What’s interesting in this specific malware is its size. While regular malwares are usually small in size – Stuxnet was just 500KB – to allow it to hide easily, Flame is a massive 20MB which might have contributed to making it harder to detect since many expected a small malware. Its massive size is due to the many libraries and modules it contains to handle SSL traffic, SSH connections, and other tasks.
Also interesting is the fact that there doesn’t seem to be any specific target for this malware but instead infects computers on many different sectors including education, private companies, and specific individuals. However, Kaspersky has yet to confirm whether Flame is connected with Stuxnet and its sister Duqu, which were both made by a nation-state team using the “Tilded” platform. The possibility seems low, mainly due to the fact that Flame has no similarity with the two in design, functionality, and framework.
Flame does have two remarkable similarities with Stuxnet: its ability to infect USB sticks via 1) the Autorun Infector using shell32.dll which was only seen in Stuxnet and never again in other malware until now, and 2) Euphoria which is spread through media using a “junction point” directory. But whether these similarities may end up connecting the two malwares together, only time and further research will tell. Flame, however, does not automatically replicate, unlike Stuxnet. Flame’s spreading mechanism has been turned off by default and has to be switched by the attacker before it can spread.
Due to its massive size, Kaspersky’s experts are estimating their analysis of Flame to take about ten years before they can fully understand the malware. Stuxnet’s 500KB took them six months to analyze and with Flame being 20 times its size, the analysis will take much longer.
Flame is in essence an espionage tool. Some of its many different modules include the ability to turn on the internal microphone of an infected computer to record audio conversations happening through programs like Skype or even those occurring around the computer. One module turns Bluetooth-enabled computers into a beacon to allow the malware to scan other Bluetooth-enabled devices to get names, contacts, and other important data. Another module takes snapshots of the computer screen every 60 minutes with the interval becoming much shorter when the infected machine runs certain interesting applications like instant messaging and email.
Whether Flame was made parallel to the Stuxnet/Duqu tandem or was created for a different purpose, experts have yet to find out. What is clear is that this malware was created with the backing of a nation-state interested in stealing sensitive data from different entities.