UPDATE: Are the winds of cyber war blowing, or is the newly discovered Flame worm just a tempest in a teapot? Just days after it was disclosed to the public, the Flame worm is fanning the flames of controversy within the security world. Threatpost takes a look at what people are saying.
Calling Tehran…
A good place to start with any analysis of Flame and its impact would be with its (presumed) targets: the Iranians. The Islamic Republic, notoriously secretive, has been uncharacteristically open about Flame in recent days. The country’s CERT published a report on Flame on Sunday (May 28th). That post acknowledged the attack, described some of Flame’s features and claimed that Iran National CERT had created its own signature for the virus and a removal tool. Iran’s CERT says its tool, which was completed in early May, is ready for distribution to organizations at risk of infection, according to a report by the BBC on Tuesday.
Reports have speculated that the Flame worm was behind a targeted attack on Iran’s Oil Ministry that forced the shut down of key facilities in April. Iran acknowledged the attack at the time, but claimed that no sensitive data was compromised and that the Ministry was well defended against the attacks. In a statement published by the Iranian FARS News Agency, Deputy Oil Minister Hamdollah Mohammadnejad said in early May that the country knew the “nature of the attack and the identity of the attackers.” What’s unclear is why it took Iran over a month to develop a cleaning tool for the worm, and why the country was still a hotspot for infections weeks later. Although, if domestic AV vendor Zero Virus is any indication, the Iranian security technology sector is lagging well behind its Western counterparts.
How Old Is Flame, Anyway?
One question that’s bubbled up amid all the ink spilled on Flame in the last 24 hours is about the origins of the worm. How new – or old – is Flame, anyway? Its a difficult question to answer. As Kaspersky researchers said, the malware’s authors took steps to mask the virus’s real origins by backdating the file date on some key components to the mid 1990s (which strains credulity). Other attributes of the malware suggest a more recent vintage, with a number of modules were either created of changed in 2011 and 2012. The security firm Webroot told National Public Radio in the U.S. that it detected a version of Flame as early as 2007 and “didn’t think much of it.” A report from the folks at the security firm Alienvault tends to support the Webroot line. They say they found clues that point to different components within Flame that are “nearly four years” old, with the main component of the malware dating to August, 2011. Of course, given the complexity of the malware, everyone can be right here: Kaspersky for putting the creation date for the main components of the worm sometime within the last year or two, and other firms for saying that they detected components used in Flame further back.
Cyber weapon, or just malware?
The most strident debate in recent days has been over Flame’s origin and purpose. Kaspersky researchers have been clear in calling Flame a cyber weapon and, to quote the BBC, an “industrial vacuum cleaner for sensitive information.” (Nice!) As Threatpost reported yesterday, an influential early analysis by researchers at CrySyS Lab in Hungary supports that contention, concluding that Flame (which they refer to as “sKyWIper” is the work of a well-funded government.
“The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities. sKyWIper is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found,” they wrote in their analysis.
However, there’s disagreement about that. Webroot isn’t convinced Flame is the product of a nation-state actor, but may just be a complex malware toolkit akin to others that are common online. “There’s probably multiple authors, but based on the fact that it isn’t well armored and is just a static threat, this probably wasn’t done by some large organization,” Joe Jaroch of Webroot told NPR. And, indeed, there are others within the security community who wonder whether a sophisticated cyber weapon would need to be as large and complex as Flame.
But Kaspersky Lab researchers see connections between Flame and both the Stunet and DuQu malware families, with CEO Eugene Kaspersky calling Flame “another phase in this (cyber) war.” While the code base is different, Flame exploits the same vulnerabilities as Stuxnet to gain a foothold on target networks, and also spreads via the same mechanisms: USB, vulnerable network file shares and printers. That, and the worm’s Swiss Army Knife quality suggest that an espionage tool, rather than one aimed at generating profit from stolen data, spam, DDoS attacks or the myriad other illicit online activities. Add to that evidence a public non-denial from Israel’s Deputy Prime Minister Moshe Ya’alon, who told Israeli radio on Wednesday about Flame that “such measures were reasonable for anyone who views Iran as a threat” and who then praised Israel’s technological capabilities.
What does this mean for me?
The answer to that question depends on who you ask. Commentary on Flame has run the gamut. On the one hand are researchers, including those at (Threatpost corporate parent) Kaspersky Lab who call Flame the “most sophisticated cyber weapon” yet and a piece of malware so complex that it may take years to decode. There are others, however, who see Flame as just another example of a long line of complex, modular and sophisticated malware – not all of it associated with espionage. Is Flame really all that different from malware like Agobot, the now-notorious family of bot malware that was common five or six years ago? It remains to be seen. For one thing, researchers haven’t yet deciphered all the Flame modules, so they can’t say for sure exactly what else the malware might do.
There are also “political” motivations to consider. Iran versus Israel and the West, as well as lingering Cold War rivalries. More than one commentator has wondered aloud about the geopolitics of Flame – Kaspersky is a Russian firm, after all, and Russia and the West have been engaged in heated dialog in recent years about how and where to draw the line on cyber warfare. Is that geopolitical struggle echoed in the dire warnings about Flame and talk of cyber weaponry? Some people think so. Its worth noting, however, that Kaspersky is hardly the only company to sound alarms over Flame. U.S. based Symantec has been equally strident in its messaging about the worm.
There is reason to be skeptical about all the dire warnings about Flame. For one thing, the number of infected systems worldwide is likely numbered in the thousands, not the tens of thousands or millions that are common with other kinds of malware. And many of those infections are concentrated in two countries: Iran and Hungary. That means most computer users in Europe, North America and Asia have little to fear from the worm.
There’s noted (and reasonable) skepticism about the role that anti malware firms have played in trumpeting news about this new and sophisticated threat. Countless firms have weighed into the fray with “[Name that company]’s customers are protected from Flame” PR blitzes. So what are the lessons of Flame? Roger Thompson at ICSA labs writes that Flame isn’t a worst case scenario, by virtue of the fact that it has been discovered and named. “The worst hack is the one you don’t know about.” One important lesson should be that “every country is trying to do exactly the same thing” as whoever, or whatever created Flame. Companies shouldn’t ditch their anti malware (which Iran’s CERT claims missed the Flame infections on that country’s computers), but they should start supplementing signature based detection with the kinds of network/endpoint behavior and traffic monitoring tools that can spot infections even when the source of the infection is novel, Thompson argues.
Correction: An earlier version of this story incorrectly identified the ICSA Labs writer as Joe Stewart. Roger Thompson is the author of the ICSA blog post. The story has been corrected. – PFR 5/31/2012