‘Flame’ Virus explained: How it works and who’s behind it

RT | May 29, 2012

Flame may be the most powerful computer virus in history, and a nation-state is most likely to blame for unleashing it on the World Wide Web.Kaspersky's chief malware expert Vitaly Kamlyuk shared with RT the ins and outs of Stuxnet on steroids.

Iran appears to be the primary target of the data-snatching virus that has swept through the Middle East, though other countries have also been affected.The sheer complexity of the virus and its targets has led Moscow-based Kaspersky Lab to believe a state is behind the attack.

Kaspersky first spotted the virus in 2010, though it may have been wrecking havoc on computer systems for many years.Vitaly Kamlyuk told RT how his company discovered it, just what makes Flame so significant, features of the virus that could point towards its creator, and why we all lose out in this intensifying cyber-war.

RT: So, how did you spot the malware, was it a planned investigation, or did it come by surprise?

Vitaly Kamlyuk: It was by surprise. We were initially searching for a [different form of] malware. We were aware of the malware that had spread throughout the Middle East, attacked hundreds of computers and wiped their hard drives, making the systems unbootable after that. It was actually after an inquiry from the International Telecommunications Union, which is a part of the United Nations, who actually asked us to start conducting research. When we started looking for this mysterious malware in the Middle East, we discovered this suspicious application that turned out to be even more interesting than the initial target of our search.

RT: According to one of your experts, 'Flame' does not appear to cause physical damage, so why has it been dubbed the most hazardous cyber-attacks in history?

VK: It’s actually on the same level as the notoriously known Stuxnet and Duqu [attacks], because we suspect that there is a nation state behind the development of this cyber attack, and there are reasons for that. This application doesn’t fit into any of the existing groups of developed cyber attack tools. There are currently three groups. There are traditional cyber criminals who are hunting users’ data (like log-ins and passwords) to access bank accounts over the Internet and steal money, send spam, or conduct dubious attacks.This [Flame] doesn’t fit into the group of traditional cyber criminal malware. Also, it doesn’t fit into the activists’ malware who are using typically free and open source tools to attack computers on the Internet. And the third known group [at this time] is nation-states.

RT: What makes this malware different from all other Spyware programs and what damage can it do?

VK: It’s pretty advanced – one of the most sophisticated [examples of] malware we’ve ever seen. Even its size – it’s over 20 megabytes if you sum up all the sizes of the modules that are part of the attacking toolkit. It’s very big compared to Stuxnet, which was just hundreds of kilobytes of code: it’s over 20 megabyes. And the Stuxnet analysis took us several months, so you can imagine that a full analysis of this threat may take us up to a year. So we think it is one of the most sophisticated malware [programs] out there.

It’s also quite unique in the way it steals information. It’s possible to steal different types of information with the help of this spyware tool. It can record audio if a microphone is attached to the infected system, it can do screen captures and transmit visual data. It can steal information from the input boxes when they are hidden behind asterisks, password fields; it can get information from there.Also it can scan for locally visible Bluetooth devices if there is a Bluetooth adapter attached to the local system.

RT: Is there a connection between this new cyber threat and previous large-scale virus attacks?

VK: We are trying to compare and find similarities between this development and previous [ones] of course, but there are so few of them – Stuxnet or Duqu mostly. There is no reliable relation between Stuxnet and Flame as we call it…they are completely different. Because Stuxnet was a small application developed for a particular target with the specific objective to interact with industrial control systems and break them down. And Flame is a universal attacking tool kit used mostly for cyber espionage. So there are so things that [Flame] shares in common with Stuxnet and Duqu, and these are the vulnerabilities that are used by both [types of] malware. Probably one malware simply copied vulnerabilities from the other malware program when they were published.

RT: So this means that cyber warfare is evolving rapidly, and 'Flame' vividly confirms this trend. Can less technologically developed nations resist such attacks, or is it game over for them?

VK: It’s never game over in this area, because even if the country isn’t technologically developed in this area, it doesn’t prevent them from cooperating with organizations like ours and with private companies in the security industry that can provide them with valuable pieces of information which can actually result in the discovery of such threats. And when we discover such threats, we permanently add them to antivirus databases, and users from those nations can use freely available trial tools and commercial antivirus [software] to protect their systems.

RT: This enormous stratum of data that 'Flame' can gather, who would need it and is it really possible to analyze such an avalanche of information?

VK: First of all, when we’re talking about the size of data that is to be analyzed, we know that the attackers do not infect as many victims as possible. Their resources are limited; it seems that they understand that. They are keeping the number of infected machines more or less the same. So it’s the same level. When they finish analyzing data that has been stolen from one network, they remove the malware and switch to another.So we think that it’s still possible the extract only the data they are interested in.

RT: So can we call this a cyber war, and if so?

VK: Stuxnet and Duqu were bright examples of cyber weapons which could even physically destroy infrastructure, and this [Flame] is a continuation of this story. So this is another development in this roe which continues in addition to Stuxnet and Duqu.There are also nation stations supporting [these] developments. We think that cyber warfare has been going on for years already. People were just probably not aware of it because cyber warfare has a unique feature: it’s hidden. Nobody knows when cyber warfare operations are going on. This is the key feature of it.

RT: Who is behind these cyber attacks?

VK: Like with Stuxnet and Duqu, it’s currently unclear who is behind it. It’s very hard to find out who is behind it because when we try to follow the traces, who controls the application – it connects to the command and control centers – it turns out to be… dozens or even more servers spread around different countries around the world. More than 80 or 90 domains are associated with those servers. Most of them are registered with fake identities. So they’re pretty well protected and hidden. So it is unclear who is behind that, and we try not to speculate who could be behind such attacks. We try to base it on pure facts like the language we extract from the code. In this case, we only found traces of good English used inside the code.

RT: So who do you think is winning this war?

VK: I think that humanity is losing to be honest, because we are fighting between each other instead of fighting against global problems which everyone faces in their lives.