Researchers from the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics and Kaspersky Lab have practically simultaneously revealed details of their research into this toolkit, and while the latter say they have detected the malware on systems located in the Middle East (most of all Iran), CrySyS found a couple of Flame-infected systems in other countries such as Hungary.
According to a press release by the International Telecommunication Union (ITU), Kaspersky Lab researchers discovered Flame while searching for the "Wiper" malware, which allegedly deleted data on a number of computers in Iran.
"This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in co-ordination with ITU, came across a new type of malware, now known as Flame. Preliminary findings indicate that this malware has been 'in the wild' for more than two years - since March 2010. Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected it," it has been explained.
What is known about this malicious toolkit so far?
"First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," Kaspersky Lab's Alexander Gostev explained.
It's primary goal is to slurp as much information it can from affected systems and send it to C&C servers, and the modules are there to ensure that that happens thoroughly.
Among the capabilities of this toolkit are the ability to take screenshots, record audio data via the computer microphone, collect information about discoverable Bluetooth devices near the infected machine, attack and infect additional machines, open backdoors, sniff the traffic on an infected machine’s LAN in order to collect usernames and password hashes being transmitted back and forth, and more.
"The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered," states ITU. "The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet."
Gostev points out that the worst thing about this discovery is the fact that the Flame cyber-attack campaign is still ongoing, and that the toolkit has the ability to deinstall and wipe all traces of itself once the attackers are done with a particular system. And although Flame has no similarities with Stuxnet and Duqu, Flame is considered to belong in the "malware as cyber weapon" category.
"The risk of cyber warfare has been one of the most serious topics in the field of information security for several years now. Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide. The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country," Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, commented. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”
The researchers believe that Flame was not developed by the authors of Stuxnet and Duqu, and that it might have been released before or simultaneously with them.
The group behind Flame targeted different systems, among which were those used by private companies, private individuals, academics, etc.
They also intentionally changed the dates of creation of the files in order to make it difficult for researchers to discover when the toolkit and its modules were created. Kaspersky Lab experts know it has been detected in the wild in February 2010, but are also convinced that earlier versions of the malware could have been floating around.
It is still unclear if the "Wiper" malware Kaspersky Lab was contracted to find is actually Flame, but it seems that it could be a module of the toolkit that goes by the similar name.