New Alarm Bells, And Old Questions, About The Flame Virus And Cyber-War

Doug Bernard | Washington DC

There’s a new Big Bad lurking out there on the Internet, and it goes by the name of “Flame.” But what we don’t know about it may be more important than what we do.

Tuesday morning, computer security analysts around the world woke to startling news. Namely, that the “Flame” infection has been stalking targets in the Middle East since at least 2010 (and possibly earlier) and only now uncovered. Worse, as malware goes, “Flame” is pretty ugly.

Now as a general rule, a new computer virus these days hardly counts as news. Websites and data centers the world over are routinely probed, hacked, infected or otherwise damaged amid a rising tide of computer espionage and Internet piracy. But from the earliest announcement late on Monday May 28 by Kaspersky Labs – the security firm that first uncovered the bug – one had the sense that Flame was different.

A Departmenf of Homeland Security official at work at the cyber defense command center (AP Photo/Mark J. Terrill)

“Flame can easily be described as one of the most complex threats ever discovered,” writes Aleks with Kaspersky Labs.  “It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”

“The complexity and functionality of the newly discovered malicious programme exceed those of all other cyber menaces known to date,” said Mario Obiso of the UN International Telecommunications Union (or ITU) issuing that organization’s most serious warning they have ever put out about a computer virus.

“The recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat,” read the stiff statement from Iran’s National Computer Emergency Response Team, unusual both for its candor and speed.

Analysts and reporters quickly piled on. “The most lethal cyber-weapon to date” cried one. “An industrial vacuum cleaner,” said another. Within hours of the first announcement, the Internet was filling up with dire warnings about Flame and what it may do.

Yet despite the alarm bells, there’s still much unknown about Flame. Specifically, what does it really do? Who released it into the digital environment, and more importantly, is it really a cyber-weapon?

What We Know, And When We Knew It

A section of Flame's coding, where it boldly identifies itself and what it's doing (courtesy Kasperky Labs)

Flame – technically known as Worm.Win32.Flame – is being called a virus, but Kaspersky’s Aleks says that’s not quite accurate. In reality Flame is what’s called a toolkit – a sophisticated bag of commands and subroutines all designed to infiltrate a computer at its deepest processes. “It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master,” he writes.

Flame was actually found by accident when the UN ITU began a hunt for another virus, nicknamed “sKyWIper,” or Wiper for short. The Wiper bug does just one thing – completely erasing and immobilizing an infected computer – but it does it so well it erases any signs of itself or its transmission path. Researchers at Hungary’s University of Technology and Economics, working along side Kaspersky researchers, found Flame while hunting for Wiper, which still remains at large.

Targeting Windows XP, Vista and 7 systems, Flame is unlike other recent high-profile viruses like Stuxnet or DuQu in several respects. First, its architecture is completely different, as is its base coding language. Second, while Stuxnet was engineered to target specific industrial command and control systems, often called SCADA, Flame appears to be much less discriminating, infecting computers large and small, industrial and otherwise. Third, while both Stuxnet and Flame may have used the same path to enter systems – a security flaw known as the “print-spooler vulnerability” – Stuxnet (and DuQu) worked as quietly as possible while Flame was downright chatty, communicating and updating regularly with a large network of external control computers.

Flame is also huge, in some cases nearing 20 Mb in size, and capable of evolving different functions, or even shutting itself down on computers apparently deemed “uninteresting” to its hidden commanders, according to Kaspersky. (Also unlike other infections, Flame appears to be an attention hog, getting its name from specific command modules so-named right inside its code.)

But in one respect, Flame looks very familiar to Stuxnet and DuQu: it seems to have a specific preference for computers in the Middle East. Specifically, Iran, the Palestinian territories, Sudan and Syria appear to be its preferred targets, with Iran accounting for 49% of all documented infections. It’s a reasonable assumption that Flame is somehow connected to Iran’s recent decision to cut off all Internet access to and from its main oil facility at Kharg Island.

How such a large and constantly mutating bug remained undetected for so long is not yet clear. What is certain is what Flame can do, and it’s pretty impressive.

Through its various subcommand routines, Flame sucks up vast amounts of information, communicating it back to unknown sources. It can log keystrokes, grab screen-shots, peruse and copy sensitive documents and even sniff out nearby devices connected to the infected computer via BlueTooth. If a computer has a built-in microphone (as many do these days) it can also secretly record conversations occurring nearby, compressing those files and sending them back to its hidden home base. And if an infected computer fails to contain anything interesting, Flame essentially hunts out new computers to sniff out.

In short, Flame is like embedding a spy on a computer – a spy in constant contact with headquarters.

While much is known about Flame’s coding, no-one as yet has taken responsibility for releasing it; a completely unsurprising development. But fingers are already pointing; many of them at Israel and/or the United States, which were both rumored to have helped develop Stuxnet back in 2010. Those rumors were further stoked by comments from Israeli vice premier Moshe Ya’alon, who said in an interview “whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them.” For their part, authorities in Iran say they are well on their way to rooting out and eliminating Flame from all infected computers.

Map showing Flame's known targets; note that Iran constitutes nearly 50% of all infections (courtesy Kaspersky Labs)

Espionage or Cyber-War?

There’s no doubt that Flame is nasty; it’s hoovered up an untold amount of email, documents, passwords, classified information and conversations, and the number of computers actually infected is still uncertain. But a debate is now reheating over what Flame actually is, and the important difference between tools of digital espionage and full fledged cyber-weapons.

Kaspersky initially called Flame a “cyber-weapon” in its communications. However, in more recent tweets it backed off that charge, referring to Flame as “professionally designed to carry out cyber espionage.”

“I’m beginning to wonder what’s going on over at Kaspersky Labs,” writes analyst Jeffrey Carr. “Come on, guys. You’ve done some terrific research in the past with DuQu. Now all of a sudden, it seems like you’ve become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric.” [Ed note: Kaspersky is based in Russia.]

Carr is a longtime cyber security analyst, founder of the security firm Taia Global, and author of the authoritative book “Inside Cyber Warfare.”  He and others are working to draw sharp distinctions between the tools of digital spying and hacking, and the language of warfare (you can read much more about the difference in a recent post, “The Coming Cyber War With Iran?“) “Espionage is not warfare and never has been,” he says. “Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.”

Others are joining in on hitting the “cyber-weapon” brakes; among them are one of Kaspersky’s professional rivals, the computer security firm Webroot. Vice President Joe Jaroch says there’s very little new about Flame that researchers haven’t known since 2007. Says Jaroch, it’s just that Flame bundled together a grab-bag of espionage tricks into one oversized package. “Flame would be easy to discover for multiple elements of an intrusion defense system, so if a nation-state was behind it, they clearly didn’t plan it well or want it to actually work,” he tells TechNewsWorld.

It’s a sure bet that Flame won’t be the last computer bug found sneaking through the Internet, just as there will only be more digitally-created malware targeting specific countries, industries or people. Whether Flame further boils an already unsettled region, however, is anyone’s guess.