Fortinet Blog | News and Threat Research

Over the last month, the Flame virus quite literally burst onto the scene with its technical complexity and sophistication that outpaced the most advanced pieces of malware to date. Weighing in at 20 MB, the piece of code, dubbed Flame, wowed the security community with covert cyber espionage abilities usually relegated to Jason Bourne and Ethan Hunt.

Among other things, Flame can sit silently on a victim’s machine and capture screenshots, intercept network traffic and stealthily record audio in the room, which it subsequently sends to remote servers controlled by its operators around the world—all while effectively dodging more than 100 antivirus products.

It was further revealed that the notorious virus can even steal data from computers that aren’t connected to the Web by uploading the targeted information, as well as itself, to a USB stick. The crafty piece of malware then waits patiently until the drive is later plugged into an Internet-connected machine, at which time it siphons the pilfered data off to a remote server. Brilliant.

With characteristics scarily similar to its cyber espionage predecessor Stuxnet, it perhaps wasn’t too surprising when reports started circulating last week indicating that they both shared the same source code. Naturally, Flame was also found to be a creation of a joint U.S. and Israel espionage endeavor, aimed at extracting information from the Iranian nuclear program and ultimately crippling its forward progress, according to The Washington Post.

“Now that a module that is common to Stuxnet and Flame has been identified, it is no mystery any longer: the White House claimed ownership of Stuxnet via ‘authorized leaks,’ and the team who made Flame had access to (at least parts of) Stuxnet’s source code,” says Guillaume Lovet, Fortinet senior manager of the EMEA Threat Research and Response Center. “Conclusion: either that team is from the US services, or from a very close ally.”

Recent discoveries of Flame’s technical prowess are no doubt on par with the imaginations of some of Hollywood’s most talented scriptwriters. But how much of a threat is this enigmatic piece of code, really?

For the average home computer user and business owner, and any organization that’s not a Middle East nuclear power facility, the answer is “not much.” While labeled as the most complex threat to date, Lovet says that it will have little bearing on most users.

“Based on the data collected by the sinkholes set up by security researchers, the total number of infected systems worldwide stayed in the thousands,” he says. “Two weeks after it was discovered, there were less than a hundred infected systems remaining. And as of this writing, the remaining operational command and control centers gave the self-destruct order to the remaining copies of Flame.”

Part of that reason is because it was never intended for the average user. Recent research has uncovered the fact that Flame was an information-gathering tool, designed to relay intelligence as part of the first sustained and comprehensive cyber campaign waged against a U.S. adversary, initiated by the CIA, the National Security Agency and Israel’s military, according to the Washington Post.

The recent revelations serve to demystify the virus, Lovet says—information which could also potentially take away some of the fear and hysteria associated with its emergence.

Plus, keep in mind that the Flame malware is hardly a new threat. Although discovered last month, the code has in actuality been around for years. Reports vary as to the exact date of its origin, ranging from 2007 to as late as 2010. Regardless, the malware, now years old, came to light by happenstance– when Iran got wise to some suspicious code lurking around its nuclear program.

Also, while collectively its capabilities appear impressive, none of them are particularly unique or unprecedented, Lovet contends, “although the sheer size of it and the fact it’s made of binary modules coordinated by a LUA script is uncommon,” he adds.

That said, size alone doesn’t always constitute the significance of a threat. And in recent weeks, Flame’s size has actually worked against it, earning it the label of “bloatware,” according to The Register.

That’s not to say that users shouldn’t apply all the standard security mechanisms and multi-layered defenses in order to detect and prevent known threats. (And now, Flame is a known threat.)

However, Lovet points out that many standard security measures are often reactive and will likely provide little protections against targeted threats, especially if attackers are determined to reach their intended target. And looking forward, chances are that the most insidious and dangerous threats on the security landscape have yet to be brought to light.