Don't Get Burned By 'Flame' Malware Attack

Flame (or Skywiper) is a massive, complex threat. Weighing in at 20 megabytes, and somewhere around 750,000 lines of code, Flame is much closer to a commercial application like Microsoft Word, or Intuit’s Quicken than it is to the vast majority of malware attacks out there. The question is should you be concerned and what can you do about it?

At a conference in November 2011 Regina Dugan, director of the United States Department of Defense DARPA network, explained, “On average, the malicious code, viruses, bots, worms and exploits that try to penetrate [our networks] rely on 125 lines of code.” Flame is comprised of more than 7,000 times that.

When a security vendor gets a hold of a malware sample, it generally takes a matter of hours--or even minutes--to reverse-engineer it, figure out what it does and how it does it, and develop a signature to detect the threat and protect systems against it. Fully deconstructing and analyzing Flame could take months, or even years.

So far security researchers have discovered a wide variety of modules within Flame designed for different tasks. The quick analysis thus far suggests that modules like Flame, Weasel, Suicide, Euphoria, and Beetlejuice perform functions ranging from managing the Autorun infection routine, to interface and control of Bluetooth wireless devices, to self-terminating the malware itself.

The Flame malware itself may seem of little concern to most people. From what is known so far it seems to be a precision attack aimed at specific political and strategic targets in the Middle East. It seems at first glance to be a state-sponsored threat with military or national defense implications rather than run-of-the-mill malware that tries to steal your credit card information.

That’s true, and yet there is still much cause for concern. Even if Flame itself isn’t meant for you, the fact is that Flame was developed years ago, and it has been out there surreptitiously gathering data undetected. If one set of developers can create malware like Flame to use against specific targets, it’s possible that other similar threats are already out there and that we’re just not aware of them yet.

Thankfully, Flame didn’t reinvent malware. It’s impressive in its sheer size, but the underlying attacks are not all that unique. Malware toolkits like Zeus and SpyEye are also capable of many of the same underlying functions as Flame. Still, Flame has managed to fly under the radar for years.

Businesses and individuals should be more vigilant about monitoring network activity and identifying anomalous behavior. A layered defense should identify and block new threats from getting in, but should also contain elements that track behavior and watch outbound traffic to detect suspicious activity.

Subscribe to the Security Watch Newsletter