Fortinet Blog | News and Threat Research

It’s been a little more than a week since Flame was first identified. The FortiGuard Labs team posted a couple of earlier stories here and here.

What we know now is that Flame is among the most advanced pieces of malware we’ve ever encountered. The complexity of the code alone leads us to strongly suspect a government agency is behind its development. Flame is capable of recording audio, taking screenshots, gathering computer data, connecting to C&C servers and detecting security applications. It can also drop files, copy itself to a removable drive, inject code into different processes, and it has one of the most complicated encryption algorithms we’ve seen.

But what sets Flame apart from your standard, run-of-the-mill botnets is the software’s ability to use unauthorized digital certificates to disguise itself as a valid windows application. So far, Flame is one of the first to successfully use this kind of attack. More details can be found at Microsoft Security Advisory (2718704).

Instead of hiding its components as a rootkit would, Flame remains hidden in plain sight. The components and files can easily be deleted without any control mechanism against deletion.

Further analysis shows that Flame isn’t coded the way typical malware is developed. Based on some strings and texts taken from the injected code in the services.exe process, we have reason to believe that Flame uses some form of LUA programming.

Once Flame injects its code into the services.exe process, the software allocates memory for the code that looks like compiled bytecodes for LUA. The available LUA decompilers we have in our labs are unable to bring back the original source code. This leads us to believe that Flame may have its own interpreter coded within itself.

Unlike other botnets we’ve evaluated in our labs, Flame, in the form we are seeing now, will likely not evolve, because the very day its discovery was announced (May 28th), the whole infrastructure used to control it remotely was shut down. This indicates that the people who are behind it do not wish to continue the operation Flame was originally conceived for. Or at least, not in this form.

It doesn’t mean, however, that the same people won’t engage in other cyber attacks with similar objectives, which apparently are about spying on middle-eastern organizations via the means of live monitoring of microphone, screen, and exfiltration of documents (notably AutoCAD documents, widely used to render plans of various structures in different industries).

What’s more, we don’t believe the malware will spread beyond the target countries already identified for two reasons.

1. Unlike Stuxnet, Flame did not go “out of hand” and spread beyond its targets. The propagation of Flame was better handled than Stuxnet and was limited to less than a few thousands systems throughout the World.

2. Now that Flame has been discovered and well identified, all AV products are now capable of wiping it without problem. The malware doesn’t come with advanced resilience capabilities. The only place where Flame could keep spreading are the internal networks that are already infected (and not running any up-to-date AV protection), due to its cunning propagation technique, consisting of impersonating Microsoft Update servers within the Local Area Network.