Decoding the 'Flame' virus
June 5th, 2012
02:00 AM ET

Decoding the 'Flame' virus

By Suzanne Kelly

Last week, groups of congressional staffers gathered in conference rooms in the nation's capital. They were coming to hear from a representative from Symantec about the current threat landscape in cyberspace.

It's an annual event for the security software giant, one in which staffers are briefed on current and emerging threats. They, in turn, brief lawmakers who are looking for ways to "catch up" in the war in cyberspace.

As you might expect in a briefing on cybersecurity, lots of numbers were thrown out: an 81% increase in the number of malware attacks, 5.5 billion attacks blocked worldwide and some 403 million unique pieces of malware (many of them have variations of the same attack that are auto-generated) aimed at computer users around the world.

A lot of these threats are familiar to Symantec, and a big reason why they have become a powerhouse in the security industry. Protecting against old viruses and detecting new are how they make their money. Business is apparently good, with some 200,000 new pieces of malware being sent to them every week for further diagnosis.

That's one of the reasons the company staffs its security desk 24/7. It was that lucky weekend staffer who got first wind of a new threat this past Memorial Day. It was a new piece of malware sent to the company by a Hungarian researcher, a trusted partner, so it got moved a little closer to the top of the heap for scrutiny and what the researcher saw shocked him a little.

"The first thing was its size," said Kevin Haley, Symantec's director of security response, who was alerted over the holiday weekend that this virus was different – way different – than anything the company had seen. "Stuxnet was really unique because of its size, and this is about 20 times bigger than Stuxnet."

This newly detected virus, dubbed "Flame," had incredible abilities to monitor in-boxes, take screen grabs, even record audio of conversations happening near the computer. Haley said it had all the hallmarks of a nation-state effort and Symantec researchers immediately dived into the code, looking for clues.

"When you start looking at it, it was clear that it was very complex. It was doing a lot to make it look like a normal program," said Haley. "There were encrypted pieces, and they had a lot of functionality, so we really started to do some serious investigating."

What they found was a series of modules. The entire virus had been pieced together like a LEGO creation, one part building on another. Things could actually be added onto the spyware after it was already on an infected computer, giving the developer enormous freedom to tinker at will.

One specific example is with a Bluetooth module, which allowed the spyware to be spread to other devices. That's just one of some 60 modules that were identified in the first week.

The hunt for further clues is expected to take months and researchers may still never know who is behind the virus. Symantec said while authors of viruses like these rarely leave a "signature" in the code, they do sometimes inject something that looks odd. In this case, researchers found multiple references to a string dubbed "Jimmy."

"We don't know what it means," Haley said. "Though it's not unusual for malware authors to leave little messages like that."

Other security companies have been combing through "Flame" as well, looking for clues and details about it's origins and abilities.

Microsoft announced over the weekend that it had identified a part of the code that had been signed in a way to make it look as if it had originated with the software giant.

The company also said it has issued a fix for the virus, saying in a security advisory that "the vast majority of customers are not at risk." The statement also said the company has taken steps to make sure the signature issue doesn't happen again.

Symantec said it also has a fix for the virus. Iran, which was a major target of the attack, said it has a fix, too. But the question of who launched "Flame" in the first place is a little tougher to pin down, according to Haley, who said efforts to find additional modules will continue in the coming months.

"It's an ongoing story for us."

But back to that briefing on the Hill last week. It turns out that while "Flame" is grabbing the headlines, that doesn't mean it's the most dangerous for home computer users. Some of the old favorites in attacks aimed at consumers' computers are still the most effective. According to Haley, it's those pop-up ads that tell you that your computer has already been infected.

"The two most popular ways are to send you an e-mail with an attachment, and a Web-based or drive by download that gets you to a malware website" Haley said. The attackers then try to get you to buy their "security" product, and wham! They've got you.

Another favorite way to get you is through social media websites. Attackers are so savvy that they now troll your "friends" list and generate an e-mail that looks like it's coming from you, so what friend wouldn't click on it, right? Wham. You're infected.

It doesn't exactly scream reassurance, but does give lawmakers a better grasp on just how wide-ranging the cyberlandscape is these days.


Filed under: Cybersecurity • Flame
soundoff (43 Responses)
  1. darrin maidlow

    looks like the flame control panel is available on http://flamer.com – ID 62674. had a good laugh at that :)

    June 5, 2012 at 10:54 pm | Reply
  2. Whombatt

    "...threats are familiar to Symantec, and a big reason why they have become a powerhouse in the security industry. "

    Of course the theft of their own source code was one threat they missed. Some powerhouse–must have blown a fuse.

    June 5, 2012 at 10:20 pm | Reply
  3. SierraForever

    Sounds like Jimmy Hendricks "Let me stand next to your fire" (aka Flame)

    June 5, 2012 at 9:53 pm | Reply
    • Matt

      If you're going to quote a legend at least spell his name right, Jimi Hendrix.....

      June 6, 2012 at 5:26 pm | Reply
  4. mcguireatneuroticadotcom

    Welcome to the wonderful world of Microsoft Windows.

    June 5, 2012 at 9:43 pm | Reply
  5. C.S. Deckard

    Except the Bluetooth functionality, which, I admit, is somewhat interesting, ALL of the features of this malware are present in the years-old, freely-available Poison Ivy RAT (Remote Administration Tool). Not to mention, Flame is something like 100 times as large, so in that sense at least, it's actually inferior to Poison Ivy.

    The claim for potential state-sponsorship is specious, sensationalist garbage. The author of this piece would do well to discuss this malware with experts whose paychecks aren't dependent on antivirus sales. I realize that prosaic explanations don't attract readers like breathless sensationalism, but assuming that Ms Kelly has some pride in her profession, I hope she seeks out some more dispassionate perspectives next time.

    June 5, 2012 at 8:26 pm | Reply
    • rabs

      So you have seen flame in and out to pass an off hand remark on how good or bad it is?

      June 5, 2012 at 9:51 pm | Reply
      • C.S. Deckard

        Personally, no. Several people I work with closely have, however; and we've spent a lot of time discussing it. They're some of the best malware RCE people in the world, so I trust their word on it.

        June 5, 2012 at 9:56 pm |
  6. mikeBigD

    How big can it be if it propagates over Bluetooth?

    June 5, 2012 at 7:59 pm | Reply
    • MacisBetter

      I read it was over 20 Mb, which is quite a bit of code.

      June 5, 2012 at 8:06 pm | Reply
      • Fun virus

        At that size you can pretty much guarantee it's a government job. Who else would code that much bloat?

        June 5, 2012 at 10:22 pm |
  7. Daniel

    Good article but you left out some key technical information such as the Flame virus was written in a programming language called Lua which was developed in Brazil, which is usually used for game programming, such as "Angry Birds" so if you want to be spot on, please dig a little deeper.

    June 5, 2012 at 4:09 pm | Reply
  8. PCisBetter

    Windows is used by important people. Macs are used by people who like to spend to much money to make themselves FEEL important.

    I've had a PC my whole life. I'm a careful user, never had a virus. My company supplied me with a Macbook. Hard drive died twice in 3 years. I'd rather catch a virus than have my data get erased.

    June 5, 2012 at 3:59 pm | Reply
    • mikeBigD

      Anyone who doesn't back up important data has no credibility when talking about computers.

      June 5, 2012 at 7:56 pm | Reply
    • MacisBetter

      I have had the same Macbook for over 4 years with zero problems. Also, I can use "too" properly in a sentence and it makes me feel soooo important...

      June 5, 2012 at 8:04 pm | Reply
      • jimdevo

        ha, nice burn...

        June 5, 2012 at 9:26 pm |
    • OG Trance

      PC stands for Personal Computer. Is an iMac not a personal computer as well?

      June 6, 2012 at 3:27 am | Reply
  9. memyselfnie

    Just another one of thousands of good reasons not to use windows. If they paid me, it would not be enough.

    June 5, 2012 at 3:43 pm | Reply
    • caw

      Do you really think the malware inventors are not turning their attention to Macs?

      June 5, 2012 at 9:02 pm | Reply
      • ColinMac

        Since when has "not windows" mean "Macs"? There are still many alternatives to the MacOS if that's not your speed.

        June 5, 2012 at 9:32 pm |
  10. Restopo

    Hmm. Sounds interesting. A virus capable of monitoring emails, taking screen shots, and recording audio. And Iran was the center of the attack. I wonder who would want to spy on Iran, and is capable of creating a "super virus"? Beats me.

    June 5, 2012 at 2:31 pm | Reply
  11. Tex

    Israel is the terrorist nation to watch out for.

    June 5, 2012 at 2:22 pm | Reply
    • kel (Marine)from easley,sc

      Israel is our only ally in the whole mid-east. If they did infect Iran, then more power to them. How about Iran being the originator to throw suspision on the West. I hope they go down in flames.Semper Fi

      June 5, 2012 at 4:25 pm | Reply
      • Steven

        Israel is our ally, or do they use the media and give millions to Congress to make us foolishly belive it that lie? Go study your history. Look up the "Lavon Affair" or the USS Liberty and see if Israel really is our ally or just using us as fools. Remember, the Talmud says it's ok for Jews to lie to, use, cheat and steal from Gentiles.

        June 5, 2012 at 9:51 pm |
      • Cheese Wonton

        You might want to find out who China's number two arms supplier is. The Israelis make a nice profit repackaging the best US military technology for sale to both Russia and China, but especially China. They have saved the Chinese many billions of dollars and at least ten years catching up to the US in technology, providing the Chinese information on US radar wave forms so they can develop effective jammers and radar warning receivers. They taught the Chinese how to write the control laws for the J-10 fighter (after General Dynamics taught the Israelis this during the Lavi development program) and they taught the Chinese how to integrate both Israeli and Russian made air to air missiles into a helmet mounted sight.
        Why would Israel do this? It is very simple. They trade the only thing of value to the Chinese that they possess, US military technology, seeking to influence the Chinese not to sell their aircraft and weapons to Israels enemies in the Middle East. It would be poetic justice indeed if an Israeli strike against Iran required the IAF to fight it's way past the very J-10 fighters the Israelis helped the Chinese design, but so far every effort by Iran to buy this aircraft has been turned away. Coincidence? I think not.

        June 5, 2012 at 11:37 pm |
  12. genomega1

    Reblogged this on News You May Have Missed and commented:

    Share
    Comments (6 comments)
    Permalink
    Decoding the 'Flame' virus

    June 5, 2012 at 11:52 am | Reply
  13. avis

    Go for Linux – a free OS and no need to worry for viruses – unless being stupid.

    June 5, 2012 at 11:30 am | Reply
  14. Hahahahahahahahha

    "Iran says it has a fix too"...............Yeah.......Prirated versions of Symantec!!!!!!!!!! Hahahahahahahahahha

    June 5, 2012 at 10:23 am | Reply
  15. michaelfury

    "But the question of who launched 'Flame' in the first place is a little tougher to pin down"

    motive, means, opportunity...

    http://michaelfury.wordpress.com/2010/09/10/ghosts-in-the-machine/

    June 5, 2012 at 7:49 am | Reply
    • Caiha

      Personally I think it's aliens oooOOOoooOOOoooOOOooo well at any rate my conspiracy theory is just as proveable as yours.

      June 5, 2012 at 4:25 pm | Reply
  16. Josh

    I don't think the author understands the word 'troll' or its uses on or off the internet.

    June 5, 2012 at 3:29 am | Reply
    • Dirtbag01

      I disagree Josh. The words meaning has adapted from this fishing definition. "In modern English usage, the verb troll is a fishing technique of slowly dragging a lure or baited hook from a moving boat" in order to essentially snag a fish.

      June 5, 2012 at 12:27 pm | Reply
      • Caiha

        True, but as far as the internet is concerned that's a very, very old school (90's) usage of the word.

        June 5, 2012 at 4:24 pm |
      • Cheese Wonton

        That is "trawl", not troll when fishing. Back to school !!!

        June 5, 2012 at 11:38 pm |
    • ton

      Fail. A definition which originated in the last 10 years does not supersede the traditional one, which you are apparently ignorant of. Lawl! XD

      June 5, 2012 at 8:00 pm | Reply
      • MacisBetter

        I would argue that using words like "Fail" in place of a real, articulated sentence is a "Fail" in and of itself. Lulz...

        June 5, 2012 at 8:11 pm |

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.