In this guest commentary, Trend Micro director of security research Rik Ferguson calls Flame out on being the "most complex malware ever found", stating that the malware doesn't deserve to be compared to Stuxnet, and that its structure is nothing new.
The most sophisticated malware — since last time.
(Credit: Trend Micro)
commentary I work closely with the marketing and public relations folk here at Trend Micro, and I know that whenever we have a significant or noteworthy piece of research to break, their first question will be, "Can we say is the first, biggest, worst, etc?" In almost every case, the answer is no. In fact, I can only think of one exception in recent years.
I'm sure the situation is similar at the other global security vendors, but it appears that some are less stoic in their resistance of the headline lure. Eugene Kaspersky, who appeared to relish being called a "glorious global megatroll" last week, is certainly renowned for courting controversy.
Last weekend, the news began to break about a complex piece of malware known variously as Flame/Flamer/SkyWiper, which was immediately being touted as the most sophisticated malware ever. The International Telecommunication Union (ITU) at the United Nations (UN) released what it describes as "the most serious warning we have ever put out", (although not apparently serious enough to feature on its website). This claim was supported by statements that Flame is "20 times more complicated [than Stuxnet]", and that it "will take us 10 years to fully understand everything" — a top-of-the-head metric that seems a little shaky to me. Symantec has even likened it to "an atomic weapon".
I was called by a journalist recently whose first question to me was, "So what makes this threat so unique?" and honestly, it was tough to find an answer with which I was comfortable. That, combined with the global hyperbole-fest, meant that I woke up compelled to write this post.
The functionalities and characteristics that are reported about Flame are things such as its precise geographical targeting, the modular nature of the code (different functional modules can be "plugged in" to an infected device as required), its ability to use local hardware, such as microphones, log keystrokes and record on-screen activity. The fact that it is targeted in the Middle East and uses a specific auto-run vulnerability are apparently enough to justify making links between Flame and Stuxnet!
Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom-written modules to customer specification for tools such as ZeuS or SpyEye.
Carberp is another great example of a modular information-stealing trojan. In fact, a recent variant of SpyEye was found to use local hardware, such as camera and microphones, to record the victim, just like Flamer and just like the DarkComet RAT. Malicious distribution infrastructures, such as the Smoke Malware Loader, promise sequential loading of executables and geo-targeting (among many other things). Keylogging is, of course, nothing new, and neither is performing capture of network traffic or ex-filtrating stolen information. Complexity of code is also nothing new; have a look at TDL4, consider Conficker's rapid adoption of MD6 or its domain-generation tactics.
So, what are we left with? A big (up to 20MB) chunk of code that's unique in malware terms, certainly, but not impressive in and of itself. The malware uses LUA, and that's unique in malware terms, I guess, but not something that elevates the inherent risk. Flame does have Bluetooth functionality, though, and in the interest of semantics, it's not a weapon — it's a tool.
Interestingly, just before the news about Flame hit the wires, the ITU at the UN had a press release that they have teamed up with a security vendor for their Telecom World 2012 event. Incredible timing, huh?
This article first appeared at Trend Micro's CounterMeasures blog, and has been reproduced with the company's permission.