Rik Ferguson, Trend Micro: Fighting the Flames
May 2012 by Rik Ferguson, Trend Micro
I work closely with the Marketing and PR folks here at Trend Micro and I know that whenever we have a significant or noteworthy piece of research to break, their first question will be, “Can we say is the first, biggest, worst, etc?“. In almost every case, the answer is “No“, in fact I can only think of one exception in recent years.
I’m sure the situation is similar at the other global security vendors, but it appears that some are less stoic in their resistance of the headline lure. Eugene Kaspersky, who appeared to relish being called a “glorious global megatroll” last week, is certainly renowned for courting controversy.
Last weekend, the news began to break about a complex piece of malware known variously as Flame/Flamer/SkyWiper which was immediately being touted as the most sophisticated malware ever. The ITU at the UN released what they describe as “the most serious warning we have ever put out”, (although not apparently serious enough to feature on their web site). This claim was supported by statements that Flame is ”20 times more complicated [than Stuxnet]. It will take us 10 years to fully understand everything“, a top-of-the-head metric that seems a little shaky to me. Symantec have even likened it to “an atomic weapon“.
I was called by a journalist yesterday whose first question to me was “So what makes this threat so unique?“, and honestly it was tough to find an answer with which I was comfortable. That, combined with the global hyperbole-fest meant that I woke up this morning compelled to write this post.
The functionalities and characteristics that are reported about Flame are things such as its precise geographical targeting, the modular nature of the code (different functional modules can be “plugged in” to an infected device as required, its ability to use local hardware such as microphones, log keystrokes and record on screen activity. The fact that it is targeted in the Middle East and that it uses a specific autorun vulnerability are apparently enough to justify making links between Flame and Stuxnet!
Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye, Carberp is another great example of modular information stealing Trojan. In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT. Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new, have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics.
So what are we left with? A big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself. The malware uses Lua, that’s unique in malware terms I guess but not something that elevates the inherent risk. Flame does have Bluetooth functionality though… Oh and in the interest of semantics, it’s not a weapon, it’s a tool.