Home & Office

Flame malware overrated, spread to Asia unlikely

Trojan "most sophisticated cyber weapon" in market currently, but Verizon exec reckons its large file size and non-network-propagating nature means malware won't pose much of a threat globally.
Written by Ellyne Phneah, Contributor

The Flame malware, which has been touted as the "most sophisticated cyber weapon yet unleashed", is not likely to significantly impact enterprises as its large file size makes it visible for detection, notes a Verizon executive.

Its impact area is also likely to remain in the Middle East and not spread to Asia as the malware is not transferrable via networks and drive-by downloads, he added.

Kaspersky Labs had discovered Flame on May 28 after the International Telecommunication Union (ITU) approached its security researchers for help in finding an unknown piece of malware deleting sensitive information across the Middle East. Chief security expert, Alexander Gostev, added in his blog post that the malware is a sophisticated attack toolkit that is "a lot more complex than Duqu".

"It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master," he noted. "Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on."

He added that the Trojan operators can choose to upload further modules, which expand Flame's functionality, should they choose to. Its original form is a "huge package of modules" comprising almost 20MB in size when fully deployed, the researcher noted.

Andrew Valentine, managing principal of investigative response at Verizon, told ZDNet Asia that Flame is "not as big a deal as everyone else is making it out to be", and that it is not going to affect enterprises significantly.

He noted that the large size of the malware will not go very far in an organization without being detected. This is because if data from the target organization were to be compromised, the Trojan has to be small in size to be "invisible", not stand out, and penetrate systems undetected, he explained.

Additionally, now that Flame is known and publicized, antivirus vendors would have started building definitions and security signatures to detect the malware, the executive said.

"It is the hidden ones customized to quietly, silently steal data from an organization, and which no one can ever detect, that are the dangerous ones," Valentine said. "Now that Flame is being analyzed and garnering a lot of publicity, it will not be that threatening."

He also pointed out that Stuxnet is a good example. Many feared that Stuxnet and its variations will be seen in future data breaches, but it never happened because it was a "focused" piece of code designed to exploit the Iranian plutonium purification system and nothing else, he said.

The managing principal did warn that there is a change components of Flame will be "cut away and repurposed" into smaller packets. For example, if someone recognizes that its components for phishing and passing sensitive data out of the organizations well-coded, he may create smaller versions of the malware based on the original source code, he said.

Asia unlikely to be affected
Asia is also likely to be spared from the impact of the malware, Valentine suggested. He said Flame is not a network propagating piece of malicious software but a code left on a thumb drive, so its reach is limited to people downloading the malware via USB sticks and not through corporate networks and drive-by downloads.

Social engineering is involved as people will have to be "tricked" into plugging in the USB into the company's system, but since Flame's file size is large, it will not be easy to get somebody to install the program, he said.

" Asia isn't safe from malware by any stretch," Valentine added. "The region should worry about malware, just not this particular one."

Symantec had on Monday pinpointed Hong Kong as a primary target destination for Flame.

Orla Cox, senior security operations manager at Symantec's security response team, told ZDNet Asia that based on telemetry data collated from more than 75 million machines which record occurrences of all known host- and network-based attacks, Hong Kong was targeted by operators of Flame. She could not reveal why the country was targeted, though.

Editorial standards