Flame malware - more details of targeted cyber attack in Middle East

Filed Under: Featured, Malware

Flame image courtesy of ShutterstockEarlier today, when I first reported on Flame malware that is said to have targeted Iranian computer systems, there was precious little detail.

It seems the reason for the scant information was that an embargo had been put on the media, who were waiting for the magic time of 2pm UK time to publish their stories.

Sure enough, this afternoon much more colour has been brought to the story and high profile news websites such as the BBC and Wired are telling the story of how Flame has been seen on computers in the Middle East, and Iran in particular.

Firstly, The Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics has published an indepth analysis on the malware, which it has named "Skywiper".

CrySyS's 63-page PDF report says that it began to analyse the malware earlier this month, and hypothesises that it was "developed by a government or nation state with signigficant budget and effort, and may be related to cyber warfare activities."

CrySys report

It is worth noticing that CrySyS received information about computers being infected with Skywiper in various countries, not just the Middle East. In fact, CrySyS noted that it had even received evidence of infections in it home country of Hungary.

One aspect of interest in CrySyS's report is how Skywiper attempts to evade detection by anti-virus products by storing its code in .OCX files (not usually checked by anti-virus products in their default configuration). However, if the malware detects the presence of McAfee's on-access scanner (McShield) it stores its code in .TMP files instead:

CrySys report

(By the way, Sophos products scan .OCX files by default.)

Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It's code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all. Fortunately, complete code analysis is not necessary to add detection.

And now that the cat's out of the bag anyway - you have to ask yourself, who is likely to continue to use Skywiper/Flame now it has received this much attention both from the media and from the computer security industry?

At the same time as CrySyS's Skywiper report was released, anti-virus vendor Kaspersky published a report, claiming that the United Nations' International Telecommunication Union had approached the firm asking it to analyse malware believed to be wiping information from Middle Eastern computers.

The top 7 countries affected by Flame, according to Kaspersky

Kaspersky's Alexander Gostev wrote that Flame (as he called the malware that the Russian firm analysed) "might be the most sophisticated cyber weapon yet unleashed."

Although Kaspersky was initially hesitant of suggesting that Skywiper and Flame (called "Flamer" by the Iranian authorities) were the same thing, it's now clear that they are.

SophosLabs is in the process of adding detection of the malware as W32/Flame-A.

We will update this article as more information becomes available.

Update: SophosLabs has published detection for the major components of this threat. Sophos products will detect this threat as W32/Flame-A.

Flames image courtesy of Shutterstock.

, , , , , ,

You might like

8 Responses to Flame malware - more details of targeted cyber attack in Middle East

  1. Brian E · 1224 days ago

    What does Sophos detect this as?

  2. echlinm · 1224 days ago

    Thank you for the info and updates. Interesting thing I have dug up is the browse32 'kill' module which is supposed to clean the malware from the system seems to have shown up a couple of times in people asking about files on their systems. Both times the comments have been that it is part of Office but the office copy is a dll and in program files not windows. Could it be possible that Windows, as it does at times, has locked the browse32 file while it deletes and so occasionally this file is left over after it is done deleting everything and in some systems this may be the only sign that the system was infected?
    It would probably not be very often but it could be an indicator of possible previous infection. Other than this we will have to be looking at full disk backups and backup tapes to see if there was an infection.

  3. Devil · 1223 days ago

    Well done Sophos for the non-stop active resistance against malware.

  4. nobody@nowhere · 1223 days ago

    Thanks to US/Israel for spending $Millions developing malaware which non-state actors are going to copy for their own uses.


  5. Lighthorse · 1223 days ago

    Thanks for this. Interested to know who put the "embargo on the media" and why please?

    • I imagine that would be an organisation quoted in the BBC and Wired stories.

      As for why, I imagine it was to maximise their publicity. That's the normal reason why firms ask journalists not to report a story until a particular time.

  6. Terry · 1223 days ago

    It's behind you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley