Malware researchers claim that the code behind “Flame” bears many resemblances to Stuxnet and Duqu. The sophistication of the attack and the techniques used within the threat are similar, and so is the primary target: Iran.
While no group or nation has yet taken responsibility officially for Stuxnet or Duqu, the complexity of the attacks combined with the focus on Iran have fueled speculation that the malware is possibly a state-sponsored attack engineered by the United States, or Israel. A Symantec blog post suggests similar origins for ‘Flame’: “As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”
McAfee agrees that ‘Flame’ is similar to Stuxnet and Duqu, but also notes that it’s much more complex and has notable differences as well. The ‘Flame’ code is modular, extendable and updateable, and capable of a wide range of covert, malicious behaviors. ‘Flame’ can steal data, capture screen shots, record audio using the compromised system’s microphone–but that just barely scratches the surface.
Stuxnet and Duqu are both impressive in their own right, and ‘Flame’ seems to be an order or magnitude more complex than these “sibling” cyber attacks. One security vendor isn’t as impressed, though, and believes that the response to ‘Flame’ essentially amounts to spreading FUD (fear, uncertainty, and doubt).
A Webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it–essentially a 2007 era technology.
There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”–it has proven itself and earned some level of trust.
Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.
Early analysis suggests that ‘Flame’ is a complex, sophisticated threat. In terms of the actual size of the programming code behind it, ‘Flame’ is massive. Depending on the source, though, ‘Flame’ is either the most dangerous, insidious malware threat ever discovered, or simply a solid cyber attack that caught much of the industry with its proverbial pants down.