TOPICS > Science

Flame: Trying to Unravel the Mystery of ‘Sophisticated’ Spying Malware

May 30, 2012 at 12:00 AM EDT
Reportedly capable of taking computer screenshots, logging keystrokes and even listening in on office conversations, malware known as "Flame" is grabbing international attention after appearances in Iran and elsewhere in the Middle East. Jeffrey Brown and guests discuss the potential risks of a "Flame" outbreak.
LISTEN SEE PODCASTS

TRANSCRIPT

JEFFREY BROWN: Now, a computer virus grabbing international attention for its size and perhaps sophistication.

Yesterday, a Russian Internet security firm released a report about the so-called Flame virus that’s appeared in Iran and elsewhere in the Middle East. And, today, Tehran confirmed that some of its computers were infected, including those tied to the oil industry.

Flame is thought to be a virus used for espionage, reportedly capable of taking computer screen-shots, logging keystrokes, and even listening in on Skype calls and office conversations. It can also steal information from any Bluetooth-enabled cell phones that are nearby.

The emergence of Flame is drawing comparisons to the 2010 Stuxnet virus that penetrated and damaged Iran’s nuclear program. Israel was widely suspected of being at least in part behind that attack. So far, Israeli officials have neither confirmed nor denied involvement with this new virus.

But on Tuesday, Israeli Vice Premier Moshe Ya’alon said, “Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it.”

So, what do we know and what do we not know? For a closer look, we turn to Dave Shackleford, chief technology officer for the Institute for Applied Network Security, or IANS, an information security research firm, and Catherine Lotrionte, professor and executive director of the Institute for Law, Science and Global Security at Georgetown University. She is a former legal counsel at the CIA.

Dave Shackleford, start with you. Fill us in a little bit more for us. What is the Flame? How do you describe it and what does it do?

DAVE SHACKLEFORD, chief technology officer, Institute for Applied Network Security: So, the Flame is actually a fairly sophisticated piece of malware.

There’s been a lot of discussion in the Internet security community around this in the last few days, and quite a few research organizations have done a fairly thorough type of disassembly of this piece of code. And it looks to be fairly sophisticated. Again, it’s got a lot of capabilities.

It’s able to look for specific data types. It’s able to look for new systems that are vulnerable within organizations’ networks. It’s able to exfiltrate that data in a number of different ways. And, again, it’s fairly large, so that’s a little bit unusual. It’s pretty big for one of these very sophisticated pieces of malware these days.

But, again, it looks to have a lot of capabilities.

JEFFREY BROWN: Catherine Lotrionte, it’s more about collecting information than destroying things, right, so watching Skype, listening in on telephones, checking keystrokes, things like that?

CATHERINE LOTRIONTE, Georgetown University: It is a clandestine intelligence collection tool, and pretty effective in terms of the analysis that has been done by the different groups in terms of the multiple ways in which it collects information, whether it’s through Skype, which is a difficult thing to actually use as their surveillance, to break into as a surveillance tool.

So it is — looks to be broad-sweeping, looking at a number of different targets across a variety of geographic locations. But these were all specifically designated targets, and that’s what is an indication of a very good, tailored collection tool.

JEFFREY BROWN: Well, what does it — does it tell you anything — or what do we know about who might have done it and what the specific targets would be? How much do we know at this point?

CATHERINE LOTRIONTE: so, the cyber-security experts that have looked at it, they have been able to identify certain locations in particular countries where systems, computers and networks have been compromised.

So, they have identified mainly Middle East countries, but Iran, Israel, Palestine, Hungary, Saudi Arabia, Sudan, Syria, Egypt. What is interesting is that the more you know about the targets — and one day we will be able to — not right now — but as they do more work — and it may take up to a year to actually dissect it and know more about this code — the more you know about the targets will tell you about the purpose of the operation itself.

JEFFREY BROWN: Now, Dave Shackleford, when you say that it’s big, explain. What does that mean in layman’s terms and how does that make a difference?

DAVE SHACKLEFORD: Well, that makes a fairly significant difference actually, because the trend in malware writing over the last several years has been the opposite, create smaller code that’s much more difficult to detect or really be able to pick up by things like antivirus programs or other types of security programs.

And so this particular piece of malware is actually over 20 megabytes in size, which is highly unusual. Now, that of course ties into all of the different capabilities that this piece of malware has. Again, it is very extensible. It has got a lot of different options available to it. In fact, it’s built so that malware authors can add and adapt the piece of malware itself and actually change it to whatever they’d like it to do, whether that is monitoring different communication types or look for data types or even target specific organizations, but still fairly large, which again I think has some people wondering whether or not this was really intended for complete stealth or whether it was really built more just to have the entire toolkit all in one place.

JEFFREY BROWN: I guess, Dave, we should say that term malware that you’re using is — refers to software with a bad purpose. Right?

DAVE SHACKLEFORD: Exactly. A lot of people think viruses, but the term viruses is a little too specific, so we usually use a fairly broad, encompassing term like malware.

JEFFREY BROWN: Catherine Lotrionte, this is just one part of this new world of cyber-war and cyber-spying. Right? How does it fit in to that world?

CATHERINE LOTRIONTE: So certainly — and there is a distinction between cyber-war vs. cyber-espionage.

As an intelligence tool, Flame was — the purpose of it was to collect information from specific targets, unlike Stuxnet, where it was destructive. They may both be using the same vulnerabilities to get into a particular computer, but, once they’re in, what is referred to as their payload is different.

That basically means their job, the job of the malware, is different. In the case of Flame, it was to collect. So, under the international law, for instance, war is distinguishable from espionage. Both can and have been occurring in cyberspace. This is not actually the first intelligence tool in cyberspace as malware.

We have seen others before, Zeus. And the U.S. has been a target of this. It is a reality. Espionage, intelligence collection against foreign targets, foreign nations, foreign leaders, individuals is just a fact, the reality of it.

JEFFREY BROWN: Would it definitely be a government-to-government thing, or would it also be non-governmental entities as well, possibly?

CATHERINE LOTRIONTE: So, in this case, certainly, there are corporations that conduct corporate espionage against each other across national boundaries.

In this case, most of the technical experts have said that the sophistication of the code, that it is as large as it is, that it probably had the resources of a state actor in which — putting it together. That is why the key is understanding the targets, understanding the individuals.

Right now, none of the reports that I have read by the security experts have identified individuals by name. But they can do that, and they will do that. That will tell you who would want to target those individuals.

JEFFREY BROWN: And, Dave Shackleford, just briefly, that process unwinds over a period of looking at the code and trying to figure out all the different aspects to it? And I guess, as you said, there’s still a sort of debate within the community of what this is and how sophisticated it is.

DAVE SHACKLEFORD: Absolutely.

And so there’s definitely research ongoing right now. It may take some time to really unravel this, as it is a fairly large and sophisticated piece of code. However, most of the security experts that I have spoken with and different people in the community have generally come to the conclusion — and this may be somewhat flawed at this point — that this is not actually anything that new.

In fact, most of the capabilities that seem to be within Flame, we have seen for over 10 years. In fact, these monitoring capabilities and the ability to get keystrokes from a keyboard or turn on the microphone on a system, we have had those for quite some time.

So, in fact, what we’re seeing here is unique only in the sense that it’s all bundled into one piece of malware, and that it’s been deliberately put out, again, to specific targets that really raise some different questions. The malware itself doesn’t really seem to be that unique, other than that.

JEFFREY BROWN: All right, a mystery to watch.

Dave Shackleford and Catherine Lotrionte, thank you both very much.

CATHERINE LOTRIONTE: Thank you.