Flame is lame? Not so much.

Share this article:
Flame is lame? Not so much.
Flame is lame? Not so much.

When the Flame malware was found a few months ago, it was characterized as “highly advanced,” “supermalware” and “the biggest malware in history.” These comments were immediately met with ridicule from experts who were quick to point out that there was nothing particularly new or interesting in Flame. 

Suggestions that Flame was created by a government and, like Stuxnet and Duqu, would be the product of a nation-state were met with ridicule as well.

But let's have a look at what we've learned about Flame.

Flame has a keylogger and a screengrabber. The naysayers are unimpressed. “We've seen that before. Flame is lame.”

Flame has built-in secure shell (SSH), secure socket layer (SSL) and LUA [scripting language] libraries. “Bloated. Slow. Flame is still lame.”

Flame searches for all Office documents, PDF files, Autodesk files and text files on the local drives and on network drives. As there would easily be too much information to steal, it uses IFilters [a plugin] to extract text excerpts from the documents. These are stored in a local SQLLite database and sent to the malware operators. This way they can instruct the malware to home in on the really interesting material. “Flame is lame.”

Flame can turn on the microphone of the infected computer to record discussions spoken near the machine. These discussions are saved as audio files and sent back to the malware operators. “Flame is lame.”

Flame searches the infected computer and the network for image files taken with digital cameras. It extracts the GPS location from these images and sends it back to the malware operators. “Still, Flame is lame.”

Flame checks if there are any mobile phones paired via Bluetooth to the infected computer. If so, it connects to the phone, collects its address book and sends it to the malware operators. “Flame is still lame, kind of.”

The stolen information is sent out by infecting USB sticks that are used in an infected machine and copying an encrypted SQLLite database to the sticks – to be sent when they are used outside of the closed environment. This way data can be exfiltrated even from a high-security environment with no network connectivity. “Agent.BTZ [malware] did something like this already in 2008. Flame is lame.”

Page 1 of 2
Share this article:

Sign up to our newsletters

More in Opinions

A wake-up call for retailers

A wake-up call for retailers

Recent events should serve as wake-up calls for organizations in the retail and hospitality space to evaluate their third-party vendors.

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Copyright © 2014 Haymarket Media, Inc. All Rights Reserved
This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.