The media has gone crazy about the Flame worm which has been seen infecting computers in the Middle East (Iran, in particular).
Are the news headlines doing a good job of educating the public about the seriousness of the incident, however?
Flame has been called “the most complex threat”, the world’s “most sophisticated cyber weapon”, and we’ve even been told it’s “much bigger than Stuxnet”.
But what does that actually mean?
Yes, Flame is bigger than Stuxnet. If you’re counting bytes.
Flame, with all of its modules and libraries, can come in at close to 20MBytes. That’s about 40 times larger than Stuxnet – which was itself portly by malware standards. So, yes, Flame is much bigger.
But my guess is that number of bytes wasn’t what you were thinking of when you read the headline.
After all, as we should always remind ourselves, size doesn’t matter. What matters to most computer users is whether they are likely to become infected by the malware or not, and how many computers it has infected.
Kaspersky, which made the biggest media splash regarding Flame has only discovered a few hundred computers infected by the malware.
That’s not that big.
Certainly, it’s pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year.
In fact, there were said to be 274 Flashback-infected computers in Apple’s home town of Cupertino alone – that’s more infections than there have been found of Flame in *all* of Iran!
And let’s not forget other malware outbreaks of past years – Conficker, Sasser, Sobig, Code Red – all much more significant in terms of number of infections than Flame.
20MB is a hefty piece of code by malware standards, there’s no doubt about that – even if much of it is made up of code libraries.
But it’s worth realising that it’s much *much* easier writing protection for a piece of malware than *analysing* what it actually does.
What’s going to take a while is dissecting Flame to find out all of its quirks and functionality, not protecting against it. When you hear anti-virus experts talk about Flame’s complexity, chances are that that’s what they’re referring to.
Because, at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.
Every day, we see approximately 100,000 new pieces of malware and most of them have the ability to steal information (by grabbing keypresses, taking screenshots, stealing your files) just like Flame.
Of course, Flame doesn’t really represent much of a threat anymore. Every anti-virus worth its salt (and even a few crummy ones I expect) now detect it and protect against it.
Whoever was behind it will likely be feeling pretty grumpy, or working hard on a new version which they hope will be able to skirt past defences.
So let’s keep things in perspective. Chances are that your computer is more at threat from some of the many other examples of malware that are in existence out there.
Furthermore, you shouldn’t need to be doing anything out of the ordinary to protect against these threats – keep your anti-virus and security patches up to date, take care over what software you install and the USB sticks you insert into your PC, run a layered defence inside your organisation. You know the drill by now.
I’m not saying that Flame isn’t newsworthy. It clearly is.
If I was a betting man, I’d probably put money on a state agency being involved in the creation of Flame. This seems to be being reported as fact, but there certainly isn’t any proof yet.
Not that the absence of evidence will stop some of the reports – after all, Flame has all the familiar ingredients to add to the ongoing narrative of how states could be using the internet to spy upon each other.
But that’s nothing we haven’t heard before, and it’s hard to think of anything new that typical computer users should be doing to protect themselves.
Sophos products protect users against the Flame threat, identifying it as W32/Flame-A.Follow @gcluley