May 30, 2012

Malware Traditions on Fire: What you need to know about Flame

Patrik Runald

Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information.

While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size.

Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits.

How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings.

It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology.

Do you have any questions on Flame? If so, leave a comment and we can discuss.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.