Flame malware – more details of targeted cyber attack in Middle East

Flame malware - more details of targeted cyber attack

Flame image courtesy of ShutterstockEarlier today, when I first reported on Flame malware that is said to have targeted Iranian computer systems, there was precious little detail.

It seems the reason for the scant information was that an embargo had been put on the media, who were waiting for the magic time of 2pm UK time to publish their stories.

Sure enough, this afternoon much more colour has been brought to the story and high profile news websites such as the BBC and Wired are telling the story of how Flame has been seen on computers in the Middle East, and Iran in particular.

Firstly, The Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics has published an indepth analysis on the malware, which it has named “Skywiper”.

CrySyS’s 63-page PDF report says that it began to analyse the malware earlier this month, and hypothesises that it was “developed by a government or nation state with signigficant budget and effort, and may be related to cyber warfare activities.”

CrySys report

It is worth noticing that CrySyS received information about computers being infected with Skywiper in various countries, not just the Middle East. In fact, CrySyS noted that it had even received evidence of infections in it home country of Hungary.

One aspect of interest in CrySyS’s report is how Skywiper attempts to evade detection by anti-virus products by storing its code in .OCX files (not usually checked by anti-virus products in their default configuration). However, if the malware detects the presence of McAfee’s on-access scanner (McShield) it stores its code in .TMP files instead:

CrySys report

(By the way, Sophos products scan .OCX files by default.)

Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It’s code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all. Fortunately, complete code analysis is not necessary to add detection.

And now that the cat’s out of the bag anyway – you have to ask yourself, who is likely to continue to use Skywiper/Flame now it has received this much attention both from the media and from the computer security industry?

At the same time as CrySyS’s Skywiper report was released, anti-virus vendor Kaspersky published a report, claiming that the United Nations’ International Telecommunication Union had approached the firm asking it to analyse malware believed to be wiping information from Middle Eastern computers.

The top 7 countries affected by Flame, according to Kaspersky

Kaspersky’s Alexander Gostev wrote that Flame (as he called the malware that the Russian firm analysed) “might be the most sophisticated cyber weapon yet unleashed.”

Although Kaspersky was initially hesitant of suggesting that Skywiper and Flame (called “Flamer” by the Iranian authorities) were the same thing, it’s now clear that they are.

SophosLabs is in the process of adding detection of the malware as W32/Flame-A.

We will update this article as more information becomes available.

Update: SophosLabs has published detection for the major components of this threat. Sophos products will detect this threat as W32/Flame-A.

Flames image courtesy of Shutterstock.