The Flame Virus: FAQs

[nsane.forums]

Flame can sniff out information from input boxes, record audio from a connected microphone and take screenshots of applications that the virus deems important.

A frightening computer virus called Flame is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data. Now, the United Nations' International Telecommunications Union warns that other nations face the risk of attack.

But what is Flame, exactly, and is it cause for concern among ordinary PC users? Here's what you need to know about what Kaspersky calls “one of the most complex threats ever discovered.”

Flame Virus: The Basics

Kaspersky describes Flame as a backdoor and a Trojan with worm-like features. The initial point of entry for the virus is unknown -- spearphishing or infected websites are possibilities -- but after the initial infection, the virus can spread through USB sticks or local networks.

Flame is meant to gather information from infected PCs. As Kaspersky's Vitaly Kamlyuk told RT, the virus can sniff out information from input boxes, including passwords hidden by asterisks, record audio from a connected microphone and take screenshots of applications that the virus deems important, such as IM programs. It can also collect information about nearby discoverable Bluetooth devices. The virus then uploads all this information to command and control servers, of which there are about a dozen scattered around the world.

The virus is reminiscent of the Stuxnet worm that wreaked havoc on Iran in 2010, but Kaspersky says Flame is much complex, with its modules occupying more than 20 MB of code. “Consider this: it took us several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame,” the firm said.

What Are Flame's Origins?

Flame has been in the wild since 2010, according to Kaspersky, but its creation date is unclear. The virus was discovered a month ago after Iran's oil ministry learned that several companies' servers had been attacked. That finding led to more evidence of attacks on other government ministries and industries in Iran.

Iran has claimed that the attacks also wiped the hard drives of some machines, but Kaspersky claims that the malware responsible, called Wiper, isn't necessarily related. Wiper attacks were isolated to Iran, while Flame has been found in other countries.

Flame's creator is also unknown, but a nation-state was likely behind it. The virus is not designed to steal money from bank accounts, and is much more complex than anything commonly used by “hacktivists,” so a nation-created virus is the only other possibility that makes sense.

Who is at Risk?

The United Nations' International Telecommunications Union is now warning other nations to “be on alert” for the virus, which could potentially be used to attack critical infrastructure. In a statement to Reuters, the U.S. Department of Homeland Security said it was “notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.”

Security firms have not been warning of any direct risk to average Internet users. Sophos' Graham Cluley noted that Flame has only been discovered in a few hundred computers. “Certainly, it's pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year,” Cluley wrote in a blog post.

View: Original Article

[Ambrocious]

So this virus......it must have taken a VERY long time to write. Who would make such a complicated virus that does so much chaotic stuff other than for a purpose of cyber warfare? All my bets are on the US Government being behind this...or at least some government is. There is the unique possibility that sometime in the future, a full A.I computer or even a partial A.I computer will be able to generate complex virus codes and automate them over the internet which would eventually cripple all of cyberspace. I know that sounds like SkyNet and from what I hear, a very similar program is already in existence today.

[deisler]

The United Nations' International Telecommunications Union is now warning other nations to “be on alert” for the virus, which could potentially be used to attack critical infrastructure. In a statement to Reuters, the U.S. Department of Homeland Security said it was “notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.”

you are wrong friend, they had nothing to do with it since they're worried themselves!

LOL. did anyone buy that?

[mastershake]

Symantec Security Response manager Vikram Thakur said that his company's experts believed there was a "high" probability that Flame was among the most complex pieces of malicious software ever discovered.

At least one rival of Kaspersky expressed skepticism.

Privately held Webroot said its automatic virus-scanning engines detected Flame in December 2007, but that it did not pay much attention because the code was not particularly menacing.

That is partly because it was easy to discover and remove, said Webroot Vice President Joe Jaroch. "There are many more dangerous threats out there today," he said

A webroot spokesperson says the security vendor takes issue with the hyperbolic claims about ‘Flame’, and claims the underlying threat has been known since 2007. “In terms of sophistication we believe it is nowhere near Zeus, Spyeye or TDL4 for example. Essentially Flame at its heart is an over-engineered threat that doesn’t have a lot of new elements to it--essentially a 2007 era technology

There is one element of ‘Flame’ that Webroot believes may be unique, though. Many antimalware tools use some form of reputation analysis to help determine if a given program is malware or not. Essentially, if the executable has been seen before, and hasn’t done any previous harm it gets a bit of a “free pass”--it has proven itself and earned some level of trust.

Webroot feels that the amount of time that has passed between the initial development of the underlying ‘Flame’ code and its active use as a tool for cyber espionage or cyber warfare may have been an intentional effort to game the reputation system and sneak in under the radar.

and in a interview with NATIONAL PUBLIC RADIO:

DAVID GREENE, HOST:

Yesterday, on this program we told you about a new cyber-spying program that goes by the name Flame. Kaspersky Lab, a Russian computer security company, says it found the program lurking on computers in the Middle East. The company says Flame is a very sophisticated piece of spyware, so sophisticated, it must have been created by a country's government. But as NPR's Martin Kaste reports, it didn't take long for other security experts to cast doubt on those claims.

MARTIN KASTE, BYLINE: Kaspersky researcher Roel Schouwenberg calls Flame an espionage toolkit, capable of spying on a computer in any number of ways.

ROEL SCHOUWENBERG: It can capture all network data flowing to and from the computer. It can also actually activate the microphone on the computer to eavesdrop on conversations.

KASTE: Schouwenberg thinks Flame comes from the same source as Stuxnet, the malware that sabotaged engineering equipment in Iran, and which is widely believed to have been launched by Israel or the U.S. Flame's programming looks different, but it spreads itself in a similar way, and Schouwenberg thinks the two programs may have been parallel projects.

SCHOUWENBERG: Flame was actually much more successful in its target of being stealth and unnoticeable on the system than Stuxnet.

JOE JAROCH: We actually saw this threat back on December 5th of 2007.

KASTE: Joe Jaroch is vice-president of an American computer security company called Webroot. He says his company blocked Flame back then and didn't think much of it.

JAROCH: We've definitely taken a closer look at it now. It's impressive in that it's gigantic.

KASTE: Flame is a big program full of legitimate-looking software, something Jaroch says may have helped it to look benign and slip past other anti-virus companies. And he is not convinced that Flame is the uber-sophisticated product of some country's spy agency.

JAROCH: There's probably multiple authors, but based on the fact that it isn't really all that armored, and it's really just a relatively static threat, I would say this probably isn't done by some large organization.

KASTE: Of course, it's no surprise to hear one computer security company rain on another's parade. But the announcement by Kaspersky Lab also came under some scrutiny yesterday because the company is based in Russia. Jim Lewis, at the Center for Strategic and International Studies, says one should at least consider the potential geopolitical motives.

JIM LEWIS: You know, it damages the U.S. a little bit to put this story out there. If it was an Israeli or U.S. or British collection program, the Russians found it and they've turned it off. They would regard that as a success.

KASTE: Then again, there are also some more mundane reasons to publicize spyware like Flame.

JEFF FISCHBACH: I don't envy the anti-virus companies.

KASTE: Computer forensic expert Jeff Fischbach says these days PCs are a lot less vulnerable to spyware than they were ten years ago. He recalls a time when there were so many holes in Microsoft Windows he bought multiple anti-virus products just to be safe. But no longer.

FISCHBACH: I can't remember the last time I actually went out and purchased a boxed anti-virus program.

KASTE: He says as Microsoft has become better at patching some of those holes, security companies have had more reason to call attention to super-spyware like Flame.