Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab


28 Responses to “Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab”

  1. Jeremy Mesiano-Crookston says:

    I’m actually pretty sure the worst malware ever was called “My Humps”, from guerilla commando digital music terrorism unit “Black Eyed Peas”.

  2. Okay, that’s interesting.

  3. Nadreck says:

    Kaspersky now reports that it seems to be a variant on the “SkyWiper” malware.

  4. Ultan says:

    It’s quite likely an Israeli product.
    More details from the Wired article:

    …an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years….
    its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame…The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
    …. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
    Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

    • Dan Hibiki says:

       then why is Israel heavily infected?

      • Digilante says:

         The article seems to suggest Israeli Occupied Territories, not Israel. Anyhow, if we look purely at motive, the US stands tall… Israel’s probably just a cog in the great US war machine.

      • Osloianer says:

        Those infected systems may be in Palestine. Or they may belong to Isreali groups/organizations that the secret services in Israel would like to monitor. Or a combination. Or maybe Israel isn’t behind this – that’s possible too. It’s really not possible to say who is behind this by looking at the map, and observing that Israel/Palestine is heavily infected does not automatically remove Israel from the list of suspects.

        • Dan Hibiki says:

           Well it’s not really the Israeli M.O.
          If it was them it would then be found in the US, Canada, UK and Australia.

          • Osloianer says:

            Well – it’s also possible that Israel judged it would be too risky to use this tool to spy on its closest allies. The relationship to the US has been strained lately, and being caught at such a time would be unwise. But the flame may also be the work of the US. Or perhaps France? It’s harder to limit the list of suspects than to expand it..

        • Dan Hibiki says:


          yup. It’s the US alright.

    • Ito Kagehisa says:

       It doesn’t fit the Israeli pattern – it’s not elegant or disposable enough.   A bloat barge like this thing smells more like US programming.  And there are a few Americanisms (“gator”) in the code base.

    • Antinous / Moderator says:

      Although Israel is certainly capable of doing it, making the argument without evidence is a bit close to “the Jews poisoned the wells.”

      • Culturedropout says:

        “We’re Jews in (Cyber)Space, zooming around, making your hard drives erase…”

      • Ultan says:

        Likely, not certain. Israel has the means and motive, and in a networked world everybody with means technically has the opportunity. It could be the US, but then I’d expect to see a broader geographical distribution. Israel seems to be better than the US at cyberwar, too – lots of expertise, institutions set up for it (e.g. Unit 8200), much less bureaucracy. The apparent prevalence in the Palestinian territories over Israel proper despite the latter having many more computers is highly suggestive that it is either Israel or an ally of Israel. This is a targeted virus, not one that just spreads everywhere, and it could not be a coincidence that all the targets just coincidentally happened to be countries that Israel feels especially wary about.  It seems far too sophisticated and far too much trouble to be an attempt to frame Israel, especially when such a “frame” would not do Israel any harm at all.

        Hardline Israeli network Arutz Sheva quotes the Israeli Minister of Strategic Affairs supporting the idea that Flame is likely an Israeli product:

        Asked about the attack on Army Radio on Monday, Minister of Strategic Affairs Moshe Ya’alon said, “Whoever sees the Iranian threat as a meaningful threat – it is reasonable he would take various measures, including this one.”

        “Israel has been blessed with being a state rich in top level high-tech. These tools that we take pride in open up various possibilities for us,” he added, without specifically saying Israel originated Flame.

        • R_Young says:

          Although I agree with most of your points (the main exception being Israel’s dominance of cyber-espionage over the US, that’s just boneheaded unless you’re counting *purely* military operations), I should play devils advocate and point out that Israel will often wink loudly at ops that aren’t theirs.  By neither denying or confirming they can get credit for the daring stuff done against their enemies while avoiding official censure from the UN court of Lefties (which is like all of Europe + most of the western world).  

      • R_Young says:

        Come onnnnn, if this were some banking scandal or virus in China or Asia or /anywhere/ else than sure this early guessing would be unjustified.  But the concentration on middle-eastern countries, especially Palestine, along with the evidence of stuxnet toolkit usage…

        Plus one can be dumb and guess (sans evidence) a random country with stake in the regional geopolitics without actually committing blood libel, contrary to what AIPAC would have you believe.  

        It is really too certain for any certainty, but why else are we on the internet if not to make unfounded speculation?

    • R_Young says:

      “In other news, a spokesman from 8200 has officially denied any involvement, while winking very rapidly in front of a bar of trashed Israeli programmers wearing party hats.”

  5. Two Wolves says:

    Ok.  Is there a detection/eradication utility available?

  6. LikesTurtles says:

    Someone should tell Kaspersky Labs that South Sudan is an independent country.

    • R_Young says:

      I wish you good luck with that Comrade!

      Russia has been a mite twitchy about recognizing breakaway countries as independent since, well, just after they lost half their empire in a similar fashion.

  7. st33d says:

    “the most complex piece of malicious software discovered to date.”
    Probably because they had to make it work in IE6

  8. R_Young says:

    Jesus, I just made the terrible mistake of engaging with the Wired commenters.  If you value your sanity, learn from my error and stay the hell away from the political debates that spring up for no apparent reason.

Leave a Reply