Flame: Towering Inferno or Smoke and Mirrors?
May 31, 2012 11:43 AM PT
For all the ruckus raised by security software vendors, it's unclear whether the Flame malware, which has mainly hit computers in Iran, is a cause for major concern or something of a dud.
Yes, it has been around for several years and has hit computers in Iran, Lebanon, Syria, Sudan and other countries in the Middle East and North Africa. But its total tally is about 1,000 or so infected systems, according to Kaspersky Lab. Compare that with the millions infected by the Conficker worm, for example.
And yes, it consists of hundreds of thousands of lines of code and is 20 times larger than the Stuxnet worm that hit systems in Iran's nuclear program.
However, "using 20 times more code than Stuxnet doesn't necessarily mean that it's 20 times stronger," Joe Jaroch, vice president of endpoint solutions engineering at Webroot, told TechNewsWorld.
There are reports that Flame was launched by Israel against other nations the Middle East, Israeli officials denied that allegation.
And how serious could malware that's written in Lua -- the programming language used for games like "Angry Birds" -- really be?
The sheer size of Flame is staggering. The main module has about 650,000 lines of C code, possibly extending to 750,000, McAfee suggests. That doesn't include the code in the other modules.
When the code has an interesting string, it encapsulates the information in a sealed function, further bloating the code and making it more difficult to read, McAfee said. In computer programming, a string is a sequence of characters.
Flame's functions include low-level disk-access parsing, ZIP file parsing, the parsing of documents in Microsoft Office formats and PDF documents, a capability to search hidden places within an infected computer's system, and the ability to remotely spread itself within a network domain. It's interested in mobile devices. Its Beetlejuice module discovers Bluetooth devices and looks for contacts in the target's social network on Sony and Nokia devices, according to McAfee.
The malware silently fires up extra instances of Internet Explorer and injects code into them to send information back to its command and control servers, McAfee said. This lets it function as part of a trusted process on infected computers, letting it circumvent personal firewalls.
Lua is a lightweight multi-paradigm programming language designed as a scripting language. It is cross-platform and has a relatively simple C application programming interface. It was designed to be used by people who were not professional programmers.
Lua has many semantic similarities with Scheme, a dialect of LISP whose influence on Lua has grown over time. However, the two languages are syntactically very different.
As a multi-paradigm language, Lua provides a small set of general features that can be extended to fit different problem types. Lua's virtual machine is register-based like Perl's Parrot and Android's Dalvik.
Burn, Baby Burn?
However, Flame also has characteristics that put security researchers on edge.
Flame has apparently been around for much longer than first believed. "We first saw this threat in Europe on Dec. 5, 2007, followed by further use in the United Arab Emirates in 2008 and the Islamic Republic of Iran in 2010," Webroot's Jaroch said. "Like many threats, this can function anywhere, and anyone can become a victim."
The fact that it's been around for so long makes security experts nervous.
"If it's been there, functioning as a remote access Trojan for years, then you don't know what it may have been a conduit for," Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld. "For example, it could be used to introduce something like Stuxnet or Duqu."
Flame appears to be a mess of different modules all bundled and held together with a cyber-BandAid, and that's one of the problems it poses to security experts. "In the cold hard light of day, it could be viewed as a huge clunky mess, or maybe not," Thompson said.