Flame virus, what is the reality?
Is Flame, the third series of viruses to attack Iran, the creation of gamers or cyber warriors? Then again, any story with the words “Iran,” “espionage” and “attack” are bound to attract attention.
I have a question. Why would a super-duper-secret-spy-software be written in a gaming language?
With all the talk about Flame being the most powerful, stealthy and ingenious computer virus every written, I have many questions about it. First on my list is the size. This is not in the least little bit stealthy. The program is 20 megabytes in size. It contains libraries for compression (zlib, libbz2, ppmd), database manipulation (sqlite3) and a LUA virtual machine. That is considerably large, extremely large even, for this type of program. You could say it is so large it hides in plain sight.
Secondly, it is written in the LUA programming language, the same language used for games like Angry Birds. LUA in a “spy tool” is just weird. LUA among developers is a very simple language, as in the syntax is very simple.
So let’s discuss this more. LUA in actuality is very common. LUA, which is Portuguese for ‘moon”, was originally developed in the 1980’s at the Pontifical Catholic University of Rio de Janeiro in Brazil. It still remains central to Brazil, maintained by a small group of programmers that rarely make updates to its core. It is a favorite platform for many game developers around the world for simplicity and its unique ability to play nicely with many platforms. LUA is everywhere, you can hardly pick up an Xbox game without it.
While many computer so called security firms have claimed they can’t think of another computer virus before Flame that used LUA, there is a hacker tool that has been available since 1997, released by Gordon Lyon called NMAP, was originally intended to be a “Network Mapper” and security scanner to be used to discover hosts and services on a computer network. The NMAP scripting engine has its roots in LUA. Ironically, this tool has become a must have tool in the hackers tool box.
Over the last few years LUA has really come to the attention of hackers. It is scriptable, easy to understand and very easy to update.
So, does this mean Flame’s programmers are either genius and ahead of their time or are they video game amateurs?
Given the subject is covert cyber-warfare, a game where half-truths, confusion and disinformation are the rules everyone plays by rather than the exception. It will be really hard to find out where this came from. There are sides which have already hinted they are responsible for it.
Again, the information is coming from Iran who has a history of playing victim and generally nobody believes them anyway.
But does it really do anything special? So far it is not clear if Flame exploits any 0-day vulnerability – vulnerabilities in software that are undiscovered by the security industry and for which there are no antidotes.
Flame is a reconnaissance tool. And according to Kaspersky shares some traits with the previously released Duqu virus, particularly an affection for American movies. For example Flame’s command for communicating with Bluetooth-enabled devices is “Beetlejuice”. While an email from an Duqu infected device was sent from “Jason B.”, a suggested reference to Jason Bourne.
Researchers are still attempting to find out if Flame has Stuxnet-like sabotage capabilities and evidence suggests it is capable of wiping out a hard drive (as reported by Iran). Flame references a separate virus called Wiper and it is more likely that Wiper is a one of Flames command modules, rather than the Flame actually doing of work itself.
Moscow based Kaspersky Labs were one of the first to analyze the virus calling it “the most powerful malicious program ever.” However, in my opinion, Flame is not particularly clever or uber-elite.
Let’s look inside Flames bag of tricks.
· Recording Keystrokes or more commonly called a keylogger is technology that is about 30 years old. One of the earliest keyloggers was written by Perry Kivolowitz and posted to Usenet news groups in 1983.
· Turning on the microphone on your computer is also about 20 years old.
· Turning on the camera is newer techonology, but still not news.
· Copying or taking snapshots of your email is nothing new either.
· Open backdoors.
· Sniff Traffic on the LAN and collect usernames and passwords.
· Attack and infect additional machines.
· Send data it collects to internet based devices.
None of this is cutting edge stuff and was likely a list of exploits all cobbled together into one large package. This would account for the extreme size of the payload.
In addition there is some odd coincidences with Flame that have nothing to do with alleged sophistication. The International Telecommunications Union ( a U.N. body) is looking to play a larger more dominant role in cyber security and Internet governance. They recently asked Kaspersky to help find an unknown piece of malware that was deleting sensitive information across devices in the Middle East. The malware was “Wiper”. The ITU even issued a confidential warning on this which is plastered all over the internet. In the memo the ITU states “This particular malware is yet to be discovered.” But during the analysis conducted between Kaspersky and the ITU they discovered Flame. This is unprecedented action. How did the ITU learn of this and why did it go to Kaspersky, a Russian company?
Russia is pushing the ITU to play a bigger role in order to undercut what is perceived as American control over the Internet. Does Flame fit into this political battle?
Flame does not appear to be a weapon, it is certainly not the most sophisticated and it is not new. But it may appear to be something larger and more significant, all of which is a wild coincidence and currently unclear.
A battle could be shaping up over the future of the internet.