Iran it seems has been the target of another novel form of malware christened “Flame”. Much has been made of this new threat because of novel characteristics that set it apart from traditional malware. It is much larger in size that normal malware (20MB vs a more traditional 1MB) and consists of a modular architecture with components that have more in common with normal corporate software than with “regular” viruses and worms.
It is Flame’s use of normal business technologies that made the malware look like regular corporate software and possibly helped it escape detection for so long. Mikko Hypponen, CEO of security firm F-Secure, has commented that Flame basically “hid in plain sight” making itself indistinguishable from all other software running on the infected PCs. However, security companies also failed to detect the possibly related malware Stuxnet and Duqu and they were very different from everyday software. Illustrating perhaps, the general limitations of commercial grade anti-virus software in detecting highly specialised malware.
Because of the countries targeted by Flame (Iran and its Middle East neighbours), suspicion has fallen on the US and Israel as Flame’s creators. It now seems that Stuxnet may have been part of an official US operation called “Olympic Games”, specifically targeting enemy countries’ critical infrastructure. It has been alleged that Flame was not part of this program. Stuxnet specifically targeted and aimed to damage nuclear facilities whilst Flame appears to be a more general espionage tool, recording conversations, keystrokes, screenshots and other information from its infected hosts.
In this respect, Flame has more in common with the German Trojan software R2D2 that was used by the German authorities to spy on its own citizens.
It is somewhat surprising that no commentators have made the connection between Flame and the dozens of commercially available spyware. The levels of sophistication between Flame and commercially available surveillance software are similar – the only difference being that Flame has the ability to replicate and infect other machines whereas surveillance software’s installation is normally targeted.
In fact, there is nothing to say that Flame was not actually installed or being used by the Governments of the countries involved to spy on their own citizens. The belief that Stuxnet was of Israeli or US origin was held on the basis that the programming skills required and funding for the development would have only been found in these countries. But as has been detailed on the Spyfiles site, the more general surveillance software is relatively inexpensive and can be bought “off-the-shelf”. So anyone could have been the originator, even private corporations.
The origins and objectives of Flame will probably never be known. It reaffirms however, that cyber threats are increasingly common and real and that protecting ourselves and our infrastructure against them increasingly difficult.