Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab

The Moscow-based security firm credited with solving various mysteries around Stuxnet and Duqu today announced the discovery of Flame, a data-stealing virus said to have lurked on thousands of computers in the Mideast for as long as 5 years. A Kaspersky Lab spokesperson described it in a Reuters interview as "the most complex piece of malicious software discovered to date."

Adds Bruce Sterling, "Given that this has been out in the wild for a couple of years now, what’s five times bigger than 'Flame' and even less understood?"

Writing today at Wired News, Kim Zetter reports that Flame is believed to be "part of a well-coordinated, ongoing, state-run cyberespionage operation."

Kaspersky has a FAQ about Flame, here.

(Image: Kaspersky Labs)


  1. I’m actually pretty sure the worst malware ever was called “My Humps”, from guerilla commando digital music terrorism unit “Black Eyed Peas”.

  2. It’s quite likely an Israeli product.
    More details from the Wired article:

    …an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years….
    its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame…The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
    …. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
    Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

      1.  The article seems to suggest Israeli Occupied Territories, not Israel. Anyhow, if we look purely at motive, the US stands tall… Israel’s probably just a cog in the great US war machine.

        1. You have that backwards. The U.S. is just a cog in Israel’s great war machine.

      2. Those infected systems may be in Palestine. Or they may belong to Isreali groups/organizations that the secret services in Israel would like to monitor. Or a combination. Or maybe Israel isn’t behind this – that’s possible too. It’s really not possible to say who is behind this by looking at the map, and observing that Israel/Palestine is heavily infected does not automatically remove Israel from the list of suspects.

          1. Well – it’s also possible that Israel judged it would be too risky to use this tool to spy on its closest allies. The relationship to the US has been strained lately, and being caught at such a time would be unwise. But the flame may also be the work of the US. Or perhaps France? It’s harder to limit the list of suspects than to expand it..

    1.  It doesn’t fit the Israeli pattern – it’s not elegant or disposable enough.   A bloat barge like this thing smells more like US programming.  And there are a few Americanisms (“gator”) in the code base.

    2. Although Israel is certainly capable of doing it, making the argument without evidence is a bit close to “the Jews poisoned the wells.”

      1. “We’re Jews in (Cyber)Space, zooming around, making your hard drives erase…”

      2. Likely, not certain. Israel has the means and motive, and in a networked world everybody with means technically has the opportunity. It could be the US, but then I’d expect to see a broader geographical distribution. Israel seems to be better than the US at cyberwar, too – lots of expertise, institutions set up for it (e.g. Unit 8200), much less bureaucracy. The apparent prevalence in the Palestinian territories over Israel proper despite the latter having many more computers is highly suggestive that it is either Israel or an ally of Israel. This is a targeted virus, not one that just spreads everywhere, and it could not be a coincidence that all the targets just coincidentally happened to be countries that Israel feels especially wary about.  It seems far too sophisticated and far too much trouble to be an attempt to frame Israel, especially when such a “frame” would not do Israel any harm at all.

        Hardline Israeli network Arutz Sheva quotes the Israeli Minister of Strategic Affairs supporting the idea that Flame is likely an Israeli product:

        Asked about the attack on Army Radio on Monday, Minister of Strategic Affairs Moshe Ya’alon said, “Whoever sees the Iranian threat as a meaningful threat – it is reasonable he would take various measures, including this one.”

        “Israel has been blessed with being a state rich in top level high-tech. These tools that we take pride in open up various possibilities for us,” he added, without specifically saying Israel originated Flame.

        1. Although I agree with most of your points (the main exception being Israel’s dominance of cyber-espionage over the US, that’s just boneheaded unless you’re counting *purely* military operations), I should play devils advocate and point out that Israel will often wink loudly at ops that aren’t theirs.  By neither denying or confirming they can get credit for the daring stuff done against their enemies while avoiding official censure from the UN court of Lefties (which is like all of Europe + most of the western world).  

      3. Come onnnnn, if this were some banking scandal or virus in China or Asia or /anywhere/ else than sure this early guessing would be unjustified.  But the concentration on middle-eastern countries, especially Palestine, along with the evidence of stuxnet toolkit usage…

        Plus one can be dumb and guess (sans evidence) a random country with stake in the regional geopolitics without actually committing blood libel, contrary to what AIPAC would have you believe.  

        It is really too certain for any certainty, but why else are we on the internet if not to make unfounded speculation?

    3. “In other news, a spokesman from 8200 has officially denied any involvement, while winking very rapidly in front of a bar of trashed Israeli programmers wearing party hats.”

    1. I wish you good luck with that Comrade!

      Russia has been a mite twitchy about recognizing breakaway countries as independent since, well, just after they lost half their empire in a similar fashion.

  3. “the most complex piece of malicious software discovered to date.”
    Probably because they had to make it work in IE6

  4. Jesus, I just made the terrible mistake of engaging with the Wired commenters.  If you value your sanity, learn from my error and stay the hell away from the political debates that spring up for no apparent reason.

Comments are closed.