Monday, May 28, 2012

Flame, aka Flamer or sKyWIper

Flame, aka Flamer or sKyWIper, has been dubbed more complex than Duqu and Stuxnet.  In fact, it has been described as "the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." 

As described in The Flame: Questions and Answers - Securelist:
"What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated."
The map below, compiled by Kaspersky, shows the top seven countries affected by Flame:

The following quote by Professor Alan Woodward Department of Computing, University of Surrey, was included in the BBC article, Flame: Massive cyber-attack discovered, researchers say:
"This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.

It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't need to be connected to a network, although it has that capability as well.

This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time."
In other words, it appears that this is just the tip of the iceberg.

Update:  A search of the Malware Protection Center Portal for Win32/Flame shows the addition to detection by Microsoft Security products, Published: May 29, 2012 , Alert level: Severe:

Additional References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Anonymous said...

But how does it send the stolen data to it's owner? Isn't it possible to trace the perpetrator by looking at where it sends the information? /Computer noob

sports live said...

nice work