So today we heard about the Flame Virus, now infecting the Middle East and Iran.
What this demonstrates is how effective governments can be when they turn to cyberwar. It puts the hack tools used by the likes of Anonymous far, far into the shade.
“The complexity and functionality of the newly discovered malicious programme exceed those of all other cyber menaces known to date.” Boy howdy.
Flame is infecting computers mainly in Iran, Lebanon, Syria, Israel, and the occupied territories. It’s clearly an espionage weapon, and conducts surveillance rather than engages in destruction or sabotage. It just sits in your computer and sucks up documents, media files, and screenshots.
Israel is not precisely denying that they’re behind Flame, but that isn’t necessarily conclusive. They’d be happy to claim credit for the digital superweapon whether they were behind it or not.
But now that Flame’s secret is out, all sorts of entities are going to reverse-engineer the weapon and start using it on, well, everybody. Whether they’re governments or not. And whether their targets are governments or not.
Welcome to the future. Flame on.
I’m actually only surprised that something like this wasn’t detected earlier. Or at least publicly disclosed earlier.
However, it does trigger a minor rant about some points in Deep State and The Fourth Wall that turned out to be significant disbelief-suspender-breakers. Deep State’s wasn’t too bad, but two pages in The Fourth Wall actually made me put the book down for a day. Didn’t stop me from finishing the book and then re-reading it, though.
It sounds a bit like hype. When you are designing a virus, you try to make it as small as you can. This virus is 20MB? That is insane! Geographic targeting is not that hard. Just tracert to a known IP, then look at the addresses close to you. If they are on known Iranian backbone, you are in Iran. All the turning on cameras and microphone stuff sounds cool; It’s not that hard.
If this were a better designed tool, they would launch a very small script that roots the computer, downloads a bit of code that replaces the part of the OS that handles disk and internet access. Then it would download whatever modules it needed, when it needed them. The advantage of replacing the disk I/O system is, when the anti virus looks for your code, it is asking the virus for the information. This only works on Windows computers.
By the size of the virus, I would guess it is metamorphic in nature, making it a bit harder to detect, if the user boots the computer from a second OS drive.
Yeah, 20 MB is pretty monstrous for modern malware. Yet another reason to attribute it to government developers. 🙂
I’m going to beg to differ with you about the “This only works on Windows computers” bit, though. Unix rootkits have been around even longer than Windows ones.
John Appel, the difference is, AV running on a rooted Linux box can directly access the hard drives, bypassing the OS. With Windows, Microsoft takes active steps to prevent you from doing this (even when logged as SU). If the OS is compromised and you can’t directly access files, even from the sector level without it, AV can only see what the virus lets it see.
Budapest University has a pretty good write-up on this. The line about it having been in the wild for up to 5-8 years is pretty interesting.
http://www.crysys.hu/skywiper/skywiper.pdf
John, just looked at the Budapest University pdf, The app keeps track of stuff on a freaking SQL database. It has 11 tables and 70 fields. That’s not a virus, it’s Skynet!
I would not call something that codebloated well written, however, wow, it is big!
Ralf – yeah, that pretty much summed up my reaction as well. I’m not aware of prior malware that went to those kinds of lengths. This might actually be something kind of new, if coded sub-optimally.
The size and number of files, though, make me wonder how it evaded detection for so long. If it really did operate under the radar since 2007, that’s got to be some kind of record.
If it was state sponsored software, perhaps the AV venders were asked not to detect it.
Friday’s NYT story about the apparent initiation of cyberwarfare operations, first under GWB and continued & expanded under Obama, put this into a new light.
Word from Kaspersky today is that Iran really appears to have been the target. The C&C servers moved frequently; Hong Kong, Poland, Turkey and other nations were mentioned as places they’d been hosted. Their analysis indicates Flame has been active since sometime in 2008.
The network also now appears to be inactive.
Comments on this entry are closed.