Flame: Another Holiday, Another Super Virus

Tuesday, May 29, 2012

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

Another holiday here in upstate New York, another roll of the fire trucks while some were supposed to be kicking back and enjoying a barbeque.

It's times like this when I'm glad I'm not in the antivirus business anymore and doubly relieved that none of our machines run Windows. No flames here.

Computer security people however may have to reach for the extinguisher this morning as the latest conflagration in the news bounces across their desk, the discovery of yet another "super virus" called "FLAME" as reported by this BBC article.

Only problem is that according to Kaspersky, who made the discovery in coordination with the U.N.'s International Telecommunications Union (ITU), this one's been in the wild since at least December of 2010 and has only been detected now.

Here we go... again.

FLAME is described by Kaspersky as "one of the most complex threats ever discovered". And it's a huge mother. 20 modules and 20 megabytes worth.

Stranger yet is that the infector is an ActiveX control in the form of an OCX (OLE Control Extensions) file which apparently has run completely undetected for years. The worm runs as a Windows service, and most of the files are visible when running, making this even more of a surprise.

The Maher Center and Iran's CERTCC published this report identifying the worm and its components. What I find amusing from a researcher's standpoint is Kaspersky's theory that this too is a "state-sponsored" worm, but when you look at the code snippets which Kaspersky published, in addition to the various use of the word "flame" in the code, there are also variables called "gator" and "frog" in there as well.

When I've examined "officially" produced malware, such names for variables published within the code just do not happen. Another thing that doesn't smell right is that Israel has also been a target of this worm in numbers only exceeded by Iran as shown in this article in Australia's Herald Sun newspaper.

Kaspersky shared their find on Monday with the other antivirus companies and so hopefully it will be detected by the other antiviruses out there soon. I'll be enjoying the rest of the lemonaide from yesterday myself, that stuff can't run on our own stuff here.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
6264
Information Security
Iran Cyberwar Stuxnet Kaspersky Active X trojan exploit Flame
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey A VERY good report on "Flame" (a/k/a "skywiper" can be found here:

http://www.crysys.hu/skywiper/skywiper.pdf

It's produced by Crysys Lab at the Budapest University of Technology and Economics and well worth the read for those interested in the mechanics of this tired old bypass of AV detection.

And LOL at all the AV's who didn't even bother scanning OCX files because they're not "risky".

Hint to the AV's ... back in 2002, we designed our BOClean product to check any file starting "on demand" for "MZ" in the first two bytes of any file being opened. Presence of MZ, no matter WHAT the file extension means "executable" ... even works for files with TXT, TMP or PDF extensions.
1338339911
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.