Threat Management, Threat Intelligence, Malware, Security Strategy, Plan, Budget

Spy virus Flame is evasive, but its goal is nothing new

One day after researchers first warned of Flame, a massive espionage toolkit that contains 20 times as much code as Stuxnet, several experts downplayed the impact of the discovery.

What makes Flame notable is that it apparently went undetected for several years and is targeting computers in the Middle East, mainly Iran -- two factors that have led some to believe Flame was the costly creation of a nation-state. In fact, according to reports, Israel's vice prime minister hinted at his country's involvement.

Flame, which contains several modules so that it can be customized to attack a victim in a certain way, is capable of plundering a targeted system of its data through sniffing network traffic, capturing screenshots, logging keystrokes and even turning on the machine's microphone to record conversations. Security firm Kaspersky Lab, which discovered the malware, called it a "cyber weapon."

"Flame can easily be described as one of the most complex threats ever discovered," wrote Alek Gosten, chief security expert at Kaspersky Lab, on Monday. "It's big and incredibly sophisticated. It pretty much redefines the notion of cyber war and cyber espionage."

Other experts, however, weren't so keen on labeling Flame, which also is known as Skywiper or Flamer, a weapon that never before has been seen. If anything, Flame should serve as a continued warning that today's security solutions fail miserably at catching threats.

"In my mind it really highlights the foolishness of relying on signature scanners," Roger Thompson, chief emerging threat researcher at ICSA Labs, which tests security products, told SCMagazine.com on Monday. Instead, behavioral detection methods must become the primary anti-virus line of defense, he added.

Chris Wyospal, co-founder and CTO of application security company Veracode, told SCMagazine.com that the functionality contained in Flame isn't that different from what comprised BO2K, a remote administration tool unveiled in 1999 at the DEFCON security conference.

"It's the new, run-of-the-mill creation," he said of Flame. "It's just another reminder that most governments and corporations around the world are being probed with technology like this."

Flame has garnered headlines in part due to its similarity to Stuxnet and Duqu, which spread in similar ways -- through USB sicks and insecure LANs -- and which targeted critical infrastructure systems in Iran. It's also possible the same virus authors are involved. According to Symantec, some of the file names used in Flame's code are identical to those found in a recent attack on Iran's Oil Ministry.

For the average computer user, however, the risk posed by Flame is no different that most of today's advanced malware. Graham Cluley, senior technology consultant, said in a Tuesday blog post that the number of Flame victims -- in the hundreds -- pales in comparison to those impacted by, for example, the Flashback or Zeus trojans.

"Press appeal aside, it's unlikely that Flame is easier or harder to defend against than other advanced malware," Alfred Huger, vice president of development at network security vendor Sourcefire, wrote in a blog post. "The tools at your disposal to detect and remove malware are largely ignorant of intent. Further, anyone who runs an enterprise will tell you they have multiple layers of security deployed to catch malware, and they still experience some advanced threats successfully taking root on their endpoints."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.