Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]

Flame on! “Flame” cyberespionage from a nation state

The Kaspersky Lab researchers who discovered the Flame worm have called it “the most sophisticated cyberweapon yet unleashed.” The malware, which may have been present on targeted computers for at least FIVE YEARS (the first CONFIRMED report of Flame was in 2010, but some evidence suggests that it has been around at least since 2007), has the ability to steal data, eavesdrop on conversations, and take screen captures of the exchanges of instant messages. I will not attempt to detail the findings on the Flame malware, but I direct you to an excellent FAQ from CNET’s Elinor Mills on the subject, written after a CNET interview with Roel Schouwenberg, a senior researcher at Kaspersky.

Flame is a very sophisticated attack toolkit that leaves a backdoor or Trojan on infected computers and also can propagate itself through a local network like a worm does. Kaspersky suspects, but has not yet proved, that Flame uses a critical Windows vulnerability. According to the Mills article:

Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting.

There are multiple versions of Flame in the wild, which communicated with as many as 80 different command-and-control computers. :-) Nice, huh? A technical analysis from Kaspersky is here, McAfee’s technical blog post is here, and a report from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”

The McAfee blog post notes:

The main module has been decompiled to about 650,000 lines of C code.

Yes, you read that number right.

Kespersky Labs notes:

“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”

Flame spreads in a number of ways within a network: via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. :-)

The Mills article continues:

Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.

Flame has infected fully-patched Windows 7 systems and is 20 times larger than Stuxnet! :-)

The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.

Elinor Mills has MUCH more in her FAQ. If the information above has not “grabbed you” yet, you obviously do not enjoy spy novels as much as I do. :-)

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. The Cheshire Cat Photo Store on Zazzle® contains a wide variety of apparel and gifts decorated with our images of California. All locations are accessible from here. LIKE Cheshire Cat Photo on Facebook here! If you don’t see what you want or would be on our email list for updates, send us an email at

No Comments to “Flame on! “Flame” cyberespionage from a nation state”

  (RSS feed for these comments)

InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player