Flame Is More Than Just FUD

Ignore the sceptics. The Flame worm is significant for what is says as much as what it does, argues Tom Brewster

Some notable members of the security community are trying to extinguish Flame, the malicious tool that has been getting plenty of headlines this week. They’ve been clamouring over each other to say why the hype isn’t justified.

Is it just blarney? Is this just more FUD (Fear, Uncertainty and Doubt) from the scaremongers of the security industry looking to peddle their wares? To some extent, yes. Vendors have always promoted threats and their nastier attributes because it means a double-win for them: they come across like the good guys policing the cyber world and they scare people into buying better security. Huzzah for half-truths!

Sometimes the “community” turns in on itself, however. Vendors bark at one another for over-hyping a threat, just as Eugene Kaspersky did when McAfee caused a stir with its Shady RAT findings. Kaspersky, using his acerbic Russian wit, labelled it Shoddy RAT.

Industry in-fighting

It has happened again with Flame. This time, it is Kaspersky facing a bit of backlash. Trend Micro’s resident rockstar researcher Rik Ferguson has written a diatribe on why Flame doesn’t stand out from the crowd, as it does nothing radically new. Different attributes like keylogging, camera and microphone hijacking, and network traffic capturing have all been seen before (although packaging them together like Flame does is pretty rare).

Ferguson also wryly pointed to a press release that came out just days before Kaspersky and the UN’s International Telecommunication Union (ITU) started going crazy about the dirty tool, which announced a partnership between the two organisations for the Telecom World 2012 event. “Incredible timing, huh?” quipped Ferguson.

There’s also the argument that Flame is already redundant. As soon as security companies know about a threat, it becomes moribund, especially if it causes as much of a media storm as Flame. Indeed, protection has already been pushed out by vendors and the Iranian government. Infection coverage is small scale too, with Middle Eastern governments the main target. IT guys working anywhere else can rest easy at night – there’s no need to get the virtual fire extinguishers out just yet.

Reasons to care

But we should not write off Flame as another meaningless FUD bomb. It is worth noting that most of the heavy hitters in security, including F-Secure’s Mikko Hypponen and the excellent CrySyS Lab, believe this is extremely serious. It may also be worth pointing out that it is vendors like Trend Micro, who did not immediately issue detailed research on Flame upon its emergence, that are pooh-poohing its importance. Security firms love the limelight, and turn a tad green when others are hogging it.

Outside of the fact that Flame has shown up the anti-virus industry yet again, there are three reasons this nasty worm should not be nonchalantly disregarded by sceptics: it has serious skills, it is causing a political storm, and, most importantly, its authors are state-funded and are most likely already creating similar, but better kit.

We don’t even know how skilful Flame is yet. There are a number of intriguingly named modules left to analyse, like Bunny, Driller and Headache. But what we do know is enough to tell us that this is one devilishly smart piece of kit.

Take its location tracking component. It looks across an infected machine’s files, including images, for  geographical identification metadata, from which it extracts latitude, longitude and altitude. This means it can  get the GPS coordinates of the location where the pictures were taken, or where the machine itself is, according to analysis from BAE Systems’ Sergei Shevchenko. Pretty impressive stuff. And that’s just one of the many tricks it can do.

The political activity surrounding Flame is significant, especially since Iran claimed it had suffered “massive” data loss. Israel is putting out some strange statements. When discussing the situation with the nation’s military radio station, vice prime minister Moshe Ya’alon hinted at Israeli involvement. “There are quite a few governments in the west that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat – and can possibly be involved with this field,” he said.

“I would imagine that everyone who sees the Iranian nuclear threat as a significant one, and that is not only Israel, it is the entire Western world, headed by the United States of America, would likely take every single measure available, including these, to harm the Iranian nuclear project.”

Even the purported clarifying statement did not outright reject involvement in Flame’s creation. “There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus,” a spokesman for Ya’alon told the BBC.

There have also been reports of US involvement. An anonymous US official told MSNBC the nation was behind the attack, although did admit he had “no first-hand knowledge” of the hit. A joint US-Israeli project? It’s certainly not infeasible. Some suspected the pair had spawned Stuxnet, so why not this too?

The worst is yet to come

But the main reason we should care about Flame is this: nation states are creating incredibly smart cyber-espionage software, but Flame’s very existence indicates they are working on even more powerful bits of malware. If Flame was created over two years ago, can you imagine how sophisticated those malware specimens are that were created in defence contractor labs since then?

There’s no doubt such firms are bolstering their cyber weapon manufacturing efforts. Just yesterday, Mikko Hypponen pointed to a job advert from defence company Northrop Grumman looking for a cyber software engineer. Here’s what the job ad said: “This exciting and fast paced Research and Development project will plan, execute, and assess an Offensive Cyberspace Operation (OCO) mission.”

Of course, we won’t ever know how much damage some of these super-intelligent bits of malware are doing. Flame was already bypassing almost all AV software – more covert software will be doing the same, but covering its tracks in even more effective ways.

So, security world, let’s try to stay calm. Flame is important, but it isn’t about to set the world (literally) on fire. We’ll see something which does that soon enough.

Are you a security pro? Try our quiz!