Another holiday here in upstate New York, another roll of the fire trucks while some were supposed to be kicking back and enjoying a barbeque.
It's times like this when I'm glad I'm not in the antivirus business anymore and doubly relieved that none of our machines run Windows. No flames here.
Computer security people however may have to reach for the extinguisher this morning as the latest conflagration in the news bounces across their desk, the discovery of yet another "super virus" called "FLAME" as reported by this BBC article.
Only problem is that according to Kaspersky, who made the discovery in coordination with the U.N.'s International Telecommunications Union (ITU), this one's been in the wild since at least December of 2010 and has only been detected now.
Here we go... again.
FLAME is described by Kaspersky as "one of the most complex threats ever discovered". And it's a huge mother. 20 modules and 20 megabytes worth.
Stranger yet is that the infector is an ActiveX control in the form of an OCX (OLE Control Extensions) file which apparently has run completely undetected for years. The worm runs as a Windows service, and most of the files are visible when running, making this even more of a surprise.
The Maher Center and Iran's CERTCC published this report identifying the worm and its components. What I find amusing from a researcher's standpoint is Kaspersky's theory that this too is a "state-sponsored" worm, but when you look at the code snippets which Kaspersky published, in addition to the various use of the word "flame" in the code, there are also variables called "gator" and "frog" in there as well.
When I've examined "officially" produced malware, such names for variables published within the code just do not happen. Another thing that doesn't smell right is that Israel has also been a target of this worm in numbers only exceeded by Iran as shown in this article in Australia's Herald Sun newspaper.
Kaspersky shared their find on Monday with the other antivirus companies and so hopefully it will be detected by the other antiviruses out there soon. I'll be enjoying the rest of the lemonaide from yesterday myself, that stuff can't run on our own stuff here.
About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.