back to article 'Super-powerful' Flame worm actually boring bloatware

Flame may be big in size but it's nothing like the supposedly devastating cyberwarfare mega-weapon early reports of the malware suggested. This new nasty is quite complex by design, yet researchers are still hunting for any truly evil and innovative attack techniques, or similar threats, within the code. The cyber-espionage …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    20Mb? Modular beyond all reason? It sounds like "enterprise grade" malware to me...

    1. Semaj

      Which of course is really the point of all the hype.

      Up till now, these things have been unprofessional but this one as you say is enterprise level.

    2. Field Marshal Von Krakenfart
      Trollface

      20MB???

      But that's not even big enough for a MickeySoft EULA

      1. Ole Juul

        Re: 20MB???

        That's only 15 floppies. Of course they could put it on a CD and mail it out too. Some customers might appreciate having a backup.

    3. gollux
      Mushroom

      And to keep it all in perspective...

      Stuxnet = 2010 Bugatti Veyron

      Flame = 1976 Cadillac Fleetwood

      Luxury cars both, one lean, fast and tight to the road, built with custom parts

      the other huge, soft, padded and drives like a fishing boat on the ocean, built from repriced Chevrolet parts.

  2. Ilgaz

    Why don't you get it already?

    The issue is how could it go undetected for years. Do you know how real antivirus, security companies work? They got thousands of impossible to tell otherwise "unprotected" machines, software automatically doing dumbest things, Spam traps subscribing to every single stupid mailing system even opting in.

    They got guys wondering around, social engineering most of the time endangering their life in black hat forums and darknets.

    That is why commercial, professional antivirus is pay or freemium.

    1. Destroy All Monsters Silver badge
      Coat

      Re: Why don't you get it already?

      > most of the time endangering their life in black hat forums and darknets

      Blackwater "Operator" Antivirus? I would buy it.

    2. gollux
      Mushroom

      Re: Why don't you get it already?

      Heh, about 1,000 computers in countries that aren't very trusting of Western Technology and afraid already of being spied on? How could it go undetected for very long? Very easily...

      If the Iranian government was eating less of the stupid sauce, there'd be normal business relationships between commerce within Iran and the companies that produce anti-malware. There isn't, so you have a breeding ground for this stuff to be sent to.

  3. Anonymous Coward
    Paris Hilton

    IF I READ THIS ARTICLE RIGHT

    THEN YOU HAVE TO BE SPTUPID TO GET THE FLAME WORM GOOD I HAVE NOTHING TO WORRY ABOUT

    1. Anonymous Coward
      Anonymous Coward

      Re: IF I READ THIS ARTICLE RIGHT

      No, not stupid - just a foreign country that may or may not have access to nukes.

      So yes you're still safe I hope and pray ;-)

      1. WatAWorld

        Re: "A foreign country that may or may not have access to nukes"

        "A foreign country that may or may not have access to nukes" describes every single country in the world, other than what ever country a particular reader is a citizen of.

        1. sabroni Silver badge

          it's SPTUPID

          stupid!

    2. Anonymous Coward
      Anonymous Coward

      more likely

      if you're Homer Simpson there's nothing worth stealing on your machine so if Flame does get a foothold on your system the masters of the worm will remove it themselves.

    3. Benjamin 4
      Joke

      Re: IF I READ THIS ARTICLE RIGHT

      @ (appropriately titled) Big Dumb Guy 55 16:07

      "I have to be stupid to get this virus" Well, if you're posting in ALL CAPS with a name like big dumb guy 57 you're in with a pretty good chance of getting it!

    4. Michael Wojcik Silver badge

      Re: IF I READ THIS ARTICLE RIGHT

      Lions 3, Christians 0. Another round goes to the BDG.

  4. Destroy All Monsters Silver badge
    Devil

    http://en.wikipedia.org/wiki/Mimivirus

    "Mimivirus, short for "mimicking microbe", is so called to reflect its large size. Mimivirus possesses many characteristics which place it at the boundary of living and non-living."

    Similarly, Flame possesses many characteristics which place it into the genus of bloatware, media players and nagware.

  5. Bernard

    This article reads strangely, at least to a non-professional in the security field

    Reading some paragraphs the virus was in no way special or clever (though it was big), while reading others it managed to go on completely undetected for an unspecified number of years, while deleting critical information and performing other functions which can't be ascertained or traced back to a culprit.

    Likewise, the coding of the virus is not especially unusual or exciting, but will take months and possibly years to decipher.

    It may be because I work in a commercial word used to trumpetting even modest failure as startling success, but if I'd delivered a project that met such clearly defined goals over such a long period and didn't leave any significant threads for people to pull apart at the end then I'd feel like i'd done a pretty good job.

    1. peabody3000
      WTF?

      Re: This article reads strangely, at least to a non-professional in the security field

      that's for sure.. everything about this threat looks extremely sophisticated, but the fact that its spread is apparently limited and controlled gives the author licence to dismiss it as bloatware? that is infantile bloviating. if this is "boring" then lets hear all about the exciting ones??

      1. Tom 13
        Black Helicopters

        Re: author licence to dismiss it as bloatware? that is infantile bloviating.

        Too true. So I guess that mean the next big question is:

        Is John Leyden now on the payroll of said spooks and spreading disinformation about the threat?

    2. Drew32

      Re: This article reads strangely, at least to a non-professional in the security field

      Agreed. It seems the significance of Flame would be in it's apparent (but not really known) effectiveness...and possibly over a rather extended period of time. Being small, creating a large botnet, or being innovative, getting pats on the back from The Register, obviously weren't primary design goals.

  6. Steve Knox
    Holmes

    "...most vendors spinning that Flame did not spread very far and that was the reason why it escaped detection for so long."

    The real question is when did it first spread to a machine with an active, licensed, up-to-date antivirus/antimalware installation on it. Because that's exactly when this excuse became invalid.

    1. WatAWorld

      Would a government require AV vendors based in it to miss malware it created?

      Most likely more than 2 years ago, since the sorts of computers it has been found on would have been well protected.

      Kind of embarrassing for the AV vendors whose products are used in the middle east, so they want to minimize it.

      Would a government require AV vendors based in it to miss malware it created?

      One of a few reasons I use Kaspersky is that, being in Canada, I'm more worried about the USA or Canada spying on me than Russia.

      1. Steve Knox

        Re: Would a government require AV vendors based in it to miss malware it created?

        WHY would a government require AV vendors based in it[s jurisdiction] to miss malware it created?

        Given that there is no jurisdiction that adequately covers all AV vendors, said government would have to make the malware as difficult to detect as possible anyway.

        Disclosing the existence of the malware to people in its jurisdiction [especially those most likely to incur financial losses in the event their collusion were discovered] would significantly increase the risk of the malware being detected.

  7. preppy

    Flame - Why did it take so long to detect?

    I'm curious about a slightly different question....."Did it take the TARGETS two to five years to detect it?"

    After all, the malware is huge, and the alleged data gathering impact must have created significant network traffic.

    And if the targets knew about Flame all along, how much MISINFORMATION have they passed along to the spooks who own Flame?

    Preppy

  8. NozeDive
    Happy

    Memories

    It was a little surprise for me to see L0pht and BO2K mentioned (but now Cult of the Dead Cow). I haven't heard much about them in a while.

  9. Fill

    Confusing article

    The title and summary seem to contradict the article and its conclusion. The article says it is an advanced and complex piece of targeted malware that must have been made by a nation/state that will take months if not years to analyze, while the title and summary say it is just boring bloatware. Which is it?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Confusing article

      It's possible to get a big team to write a huge piece of software that then doesn't do anything earth-shatteringly evil. Yes, it does bad things, but so does a lot of malware. It's not the weapon of annihilation first feared, although there is still a lot of code to get through.

      C.

      1. nexsphil

        Re: Confusing article

        >It's not the weapon of annihilation first feared,

        >although there is still a lot of code to get through.

        Conclusion before analysis. Logic failure. Propaganda detected.

      2. Ian McNee
        Black Helicopters

        Re: Confusing article

        @diodesign: that's a somewhat complacent and narrow view. A not unlikely scenario is that this was created by a security agency like the CIA who have a well-documented penchant "extraordinarily rendering" (read: violently kidnapping) foreign citizens to assorted locations around the globe to be detained and tortured.

        They have done this with the flimsiest of suspicion (bearing in mind that extra-judicial kidnapping, imprisonment, torture and assassination are illegal by definition and in many other ways). So if they happened to have had a tool like this to target potential "terrorists" over the past few years it would almost certainly have been used to assist such actions.

        No, Flame/sKyWIper is not a "weapon of annihilation" (nice paper tiger!) but that wouldn't be much comfort to anyone languishing in an interrogation facility in Uzbekistan, would it?

        1. Michael Wojcik Silver badge

          Re: Confusing article

          > A not unlikely scenario is that this was created by a security agency like the CIA who have a

          > well-documented penchant "extraordinarily rendering"

          A fallacious argument (specifically argumentum ad misericordiam). Even if there were evidence that Flame was created by the CIA, you've demonstrated no logical association between extraordinary rendition (however vile and unethical that may be) and the thesis, which is that Flame is in some fashion an interesting or important piece of malware.

          Extraordinary rendition is believed to usually involve the use of airplanes. That does not, in itself, make airplanes interesting.

  10. rman33

    A couple of observations. First I would not quote Kaspersky as if they were top level experts. They are second rate at best. We currently use them but will stop once the contract expires. They, far and away, have the biggest negative impact on system performance of any of the leading antivirus publishers. Internet speed is literally cut in half when using the internet protection feature as opposed to when that feature is turned off. Their support's first suggestion is 'trying reboot comrade - this is fixing much problem' and when you demand better support it becomes 'Am being very sorry comrade, we are sending new improved version as we are believing this will be helping much'. They simply can't support their product.

    Another observation is that it seems odd that several people say this is a 'remote control' and/or data collection and transmission type of malware. I am not a hacker or even a very good programmer but I am a computer scientist and it occurs to me that if you know the code is transmitting data then you would also know where it is being sent to. Likewise if it is being remote controlled then you know where that control is coming from. Why then is it such a mystery 'who' is controlling or receiving transmissions?

    1. fatchap
      Boffin

      DNS Flux

      Pretty simple you programmatically create more almost random strings as domain names and automatically register them as your bot farm switches between them.

      You register these domains under false names with less than stellar domain registries and keep the records pointing at a number of servers you have already compromised and can retrieve your information from at leisure. You access them through a string of other proxies and a tor network and hey presto you can go about these things relatively undetected. Especially if some of the hosts are in jurisdictions that don't play nice with western governments when they are investigating.

      See here for what other internet randoms say about it: http://en.wikipedia.org/wiki/Fast_flux

      1. WatAWorld

        Re: DNS Flux

        Perhaps a non-western country, but not necessarily.

        If the domain registries are in western jurisdictions that have laws requiring employees cooperate with security services and have stiff criminal penalties for publicizing requests from security services this DNS flux could be done here.

        In the UK for example, I understand that if a domain name registry employee informed his employer of requests by MI6 he could face proscution under the Regulation of Investigatory Powers Act (or whatever the RIP Act stands for).

        The USA has its laws, but patriotism alone would probably be enough to create the silent obedience necessary.

        I'm not saying this was a western government, but I do not think we can close our minds to that possibility now, OR IN THE FUTURE.

        1. fatchap
          WTF?

          Re: DNS Flux

          You do know that it is possible to use a registrar that is outside your local vicinity right? Also that there are things like credit card fraud so the person of record on the 1000s of domains may not actually be the perpetrator?

          It is one of the reasons that RIPA and Patriot act are pretty much useless in this regard.

    2. WatAWorld

      Kaspersky is only second rate if you rank your AVs on something other than virus detection capability.

      If you want a good AV in a world full of malware, that AV is going to need some cycles to run.

      Virus Bulletin and the VB100 is a good place to start.

  11. Christian Berger

    Obviously not getting it

    The purpose of Flame is not to spy on users or infect many systems, but to give meaning to the ITU. The ITU fears becoming useless in a world dominated by lightweight patent-free Internet standards which can be implemented within a day.

    This is why the ITU wants to re-brand itself as "cyber security experts". I wouldn't be surprised if the ITU sponsored the development of Flame.

  12. Mike VandeVelde
    Headmaster

    hehehehehe... he said firm.... hehehehe

    "The security firm reckons a military sub-contractor was likely to have carried out the work than a intelligence agency."

  13. the-it-slayer
    Meh

    Who knows...

    ...you may have a variant of flame sitting on machine right now waiting for its next command? Just seems like it's a Swiss army knife of hacking tools rather than relying on one set of attributes/commands that are already preset within the malware. Very impressive but crap scary.

    Just hoping the top security guys and gals are already on the case.

  14. John Sanders
    Linux

    How can malware stay undetected...

    Very easy, it is enough with not do anything too noticeable like slowing your computer down, encrypt your files and ask for a ransom, or steal all your bandwidth.

    If you do not possess a decent border router/firewall that you inspect often and can not identify strange system processes, as long as the malware doesn't do anything to alert the user of the computer, it can stay undetected forever.

  15. This Side Up
    Coat

    BLOATWARE?

    So it wouldn't be noticed on a Microsoft system then?

    1. LaeMing
      Happy

      Re: BLOATWARE?

      Heck! MS-Windows would welcome it with open arms as one of the family.

      1. Danny 14

        Re: BLOATWARE?

        actually, 20mb would trigger alarms being much smaller than other running system apps.

  16. JeffyPooh
    Pint

    AV vendors exaggerate...

    AB vendors exaggerate both the threat and their own supposed skill levels. Whatever they say should be right-shifted twice (times ¼) if you wish to approximate the truth.

  17. Anonymous Coward
    Anonymous Coward

    Whatever

    Going undetected for years, while only infecting a 1000 or so machines? Sounds about right. I'm actually surprised it was found.

    Meanwhile the article itself is extremely inconsistent. There are numerous places where wide reaching statements are made... And the very next statement takes a 180 degree turn.

    Regarding av firms in general: I know they are trying hard, but they need to kick the marketing people off of the development teams. This is a hard thing to do right and the bloat ware ( av itself, not the virus ) is just too much.

    Quite frankly I'm wondering who is having a bad sales year. We've seen a number of virus articles lately on things that just don't impact us. Marketing I'm sure.

    At the end of the day we figured out that the cost of an actual infection is much cheaper than paying the "protection" racketeers. I'm sure others are figuring that out as well.

  18. WatAWorld

    best designed, most dangerous malware is malware that went undetected

    Just as the best spies are spies that went undetected, the best designed, most dangerous malware to find on your computer is malware that went undetected for long periods of time.

    Flame fits that description perfectly.

    Those AV vendors that were not called in by the ITU are simply jealous of Kaspersky.

    1. Ilgaz

      Bond like

      You know, guy never hides his name or purpose. This 20mb thing doesn't even use executable compression looks like "look, I am in your machines for years. Just think what would I do if you keep messing".

      Sounded crazy? What about launching a satellite to space just to shoot it down and competitor doing the exact same thing? Happened, China vs USA. Wikileaks.

  19. TeeCee Gold badge
    Coat

    So, then.

    Bloated? Check.

    Only works with Windows? Check.

    Doesn't seem to do anything really clever or innovative in all that code? Check.

    Has loads of bugs? Check.

    QED: It's a Microsoft product.

  20. WatAWorld

    Kaspersky employee Aleks's blog on securelist is worth reading over

    This link in the original Reg article is well worth reading for yourself:

    http://www.securelist.com/en/blog?weblogid=208193522

    Here are my thoughts on reading it:

    1. "While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame."

    So actually they weren't even looking for Flame, they were looking for other malware and happened to find Flame.

    They still have not found Wiper.

    2. The security service (if it was a security service) spreading Flame would likely have been commanding Flame to remove itself from systems that did not hold valuable information, because being on as few systems as possible is key to going undetected.

    Aleks says, "According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections."

    So really, if there are 1,000 systems infected now, there could have been 10,000, 20,000, 30,000 systems infected in the past two years -- nobody other than the Flame admins has any clue how many systems were infected.

    (If I was writing Flame Mk II, I'd make sure the computers it infected were already well protected, so that they would not get infected by something noticeable that would attract scrutiny.)

    3. There could be dozens of similar sorts of malware on Apple, Windows and Unix computers and we would not know it.

    This malware was only found on a Windows computer by chance, and the more computers are running an OS, the more chance of an accidental discovery, and the more scrutiny the OS gets. (History shows open source Unix has had vulnerabilities discovered that were there for several years. The chance to review an open source program does not mean the open source program was reviewed.)

    4. Kaspersky says Flame will use Bluetooth when it is available.

    My thoughts are that, if so then bulk information could have been sent from some infected computers via Bluetooth. If just one computer in a business was bluetooth enabled, that computer could relay the information from all the other computers to a hostile Bluetooth device planted near the installation by the security service. Hence there would be less for an admin to see in his firewall logs.

    1. Ilgaz

      Bluetooth part bugs me

      Lets hope there isn't an undetected mobile part of virus which will be abused to extract info to an innocent victim using him/ her as carrier. It would be really hard to explain while you are being questioned in some basement.

      You know the line "I have no clue how this white powder ended up in my baggage"

    2. Brian Miller 1
      FAIL

      Re: Kaspersky employee Aleks's blog on securelist is worth reading over

      Your 2nd point is EXACTLY what my first thoughts were when the author plays down the infection rates.

      If it is capable of erasing it's presence and has had at least 2 years, maybe 5 years to spread and gobble info, the fact that only 1000 concurrent infections have been verified means FA.

      If the "insert large governmental institution of your choice" had 1000 people each tasked with slurping the useful stuff off a machine each day, then spreading and finding the most interesting one the next day lets do the math:

      1000 * 5 (working days a week) * 48 (working weeks a year) * 5 (years) = 6 million possible machines infected at this work rate.

      So that is in the same order of magnitude as conficker etc. Of course I have zero evidence to back this up, however Mr. Author, you also have zero evidence the impact was so small and benign.

      And what is this about wiper? It strikes me that if you didn't want to bring in 1000 people on this you could easily have your corporate hacker team write a script to very much automate the infect, check pc for keywords/data types, spread, delete self routine and maybe hit every "connected" machine on earth in the same timescale. Maybe this script is also pretty smart and happens to go by the "Wiper" name?

    3. Mephistro
      Thumb Up

      Re: Kaspersky employee Aleks's blog on securelist is worth reading over

      "that computer could relay the information from all the other computers to a hostile Bluetooth device planted near the installation by the security service"

      Alternatively, it could be very handy for any secret service to have the ability to connect to and control mobile devices through Bluetooth, enabling them to use the phones as bugs or gps trackers, or having them relaying all their mails/SMSs to some server sieving the data, Echelon style, searching for certain keywords.

      If a secret service is interested in any particular zone, they could install devices for slurping the data through the Bluetooth interface in nearby places with high density of pedestrians -i.e. railway stations, public parks, hotels...- and then sending said data to big DB servers that perform analysis on it .

      I want also to stress the importance of the fact that the data stolen by the virus can be hand-picked and used to select the most interesting subjects and their most interesting contacts. With e-mail chances are you need less than six hops to go from some beggar in the street to a member of a Government. And you don't need 1000 guys sieving the data manually to make this scheme work. A dozen guys -a much more manageable crew, in terms of security- could compromise thousands of 'interesting machines' in a few weeks.

  21. RainForestGuppy

    20MB..

    That's bigger than the hard drive I had in my first PC!!!

  22. Caesarius
    Stop

    Defending the Lady's Homour

    The Book of Esther is not apocryphal (or even "apocryhal"), but is part of the cannon. Esther was the antithesis of "I'm all right, Jack".

    1. Anonymous Coward
      Anonymous Coward

      Re: Defending the Lady's Homour

      Thank you. You've saved me the trouble of posting. Mordecai says 'Hello.'

  23. Nater
    Happy

    Why bother attacking Kharg Island with a worm? My friends and I have been blowing the shit out of that place for the last six months in AH-1Zs and Abrams tanks.

This topic is closed for new posts.

Other stories you might like