Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab

Xeni Jardin at 10:28 am Mon, May 28, 2012

— FEATURED —

THE LATEST

Guatemala: Archive of documents from Rios Montt genocide trial, overturned 10 days after guilty verdict

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

The Moscow-based security firm credited with solving various mysteries around Stuxnet and Duqu today announced the discovery of Flame, a data-stealing virus said to have lurked on thousands of computers in the Mideast for as long as 5 years. A Kaspersky Lab spokesperson described it in a Reuters interview as "the most complex piece of malicious software discovered to date."

Adds Bruce Sterling, "Given that this has been out in the wild for a couple of years now, what’s five times bigger than 'Flame' and even less understood?"

Writing today at Wired News, Kim Zetter reports that Flame is believed to be "part of a well-coordinated, ongoing, state-run cyberespionage operation."

Kaspersky has a FAQ about Flame, here.

(Image: Kaspersky Labs)

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE:  cyberwar • hacking • Internet • malware • security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • Jeremy Mesiano-Crookston

    I’m actually pretty sure the worst malware ever was called “My Humps”, from guerilla commando digital music terrorism unit “Black Eyed Peas”.

    • http://northierthanthou.com/ northierthanthou

       I think the state department would concur.

    • dragonfrog

      You must admit, “My Humps” isn’t terribly complex or sophisticated.

      • http://thebeatdown.disqus.com Franklin

        It still managed to destroy my life

    • LinkMan

      Must… not… fire up…. Spotify….

  • http://northierthanthou.com/ northierthanthou

    Okay, that’s interesting.

  • Nadreck

    Kaspersky now reports that it seems to be a variant on the “SkyWiper” malware.

  • Ultan

    It’s quite likely an Israeli product.
    More details from the Wired article:

    …an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years….
    its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame…The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
    …. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.
    ….
    Symantec, which has also begun analyzing Flame (which it calls “Flamer”), says the majority of its customers who have been hit by the malware reside in the Palestinian West Bank, Hungary, Iran, and Lebanon. They have received additional reports from customer machines in Austria, Russia, Hong Kong, and the United Arab Emirates.

    • http://twitter.com/incarnedine_v Dan Hibiki

       then why is Israel heavily infected?

      • Digilante

         The article seems to suggest Israeli Occupied Territories, not Israel. Anyhow, if we look purely at motive, the US stands tall… Israel’s probably just a cog in the great US war machine.

        • Manhattan Project Playboy

          You have that backwards. The U.S. is just a cog in Israel’s great war machine.

      • Osloianer

        Those infected systems may be in Palestine. Or they may belong to Isreali groups/organizations that the secret services in Israel would like to monitor. Or a combination. Or maybe Israel isn’t behind this – that’s possible too. It’s really not possible to say who is behind this by looking at the map, and observing that Israel/Palestine is heavily infected does not automatically remove Israel from the list of suspects.

        • http://twitter.com/incarnedine_v Dan Hibiki

           Well it’s not really the Israeli M.O.
          If it was them it would then be found in the US, Canada, UK and Australia.

          • Osloianer

            Well – it’s also possible that Israel judged it would be too risky to use this tool to spy on its closest allies. The relationship to the US has been strained lately, and being caught at such a time would be unwise. But the flame may also be the work of the US. Or perhaps France? It’s harder to limit the list of suspects than to expand it..

        • http://twitter.com/incarnedine_v Dan Hibiki

           http://news.slashdot.org/story/12/06/01/1224200/obama-order-sped-up-wave-of-cyberattacks-against-iran

          yup. It’s the US alright.

    • Ito Kagehisa

       It doesn’t fit the Israeli pattern – it’s not elegant or disposable enough.   A bloat barge like this thing smells more like US programming.  And there are a few Americanisms (“gator”) in the code base.

    • Antinous / Moderator

      Although Israel is certainly capable of doing it, making the argument without evidence is a bit close to “the Jews poisoned the wells.”

      • Culturedropout

        “We’re Jews in (Cyber)Space, zooming around, making your hard drives erase…”

      • Ultan

        Likely, not certain. Israel has the means and motive, and in a networked world everybody with means technically has the opportunity. It could be the US, but then I’d expect to see a broader geographical distribution. Israel seems to be better than the US at cyberwar, too – lots of expertise, institutions set up for it (e.g. Unit 8200), much less bureaucracy. The apparent prevalence in the Palestinian territories over Israel proper despite the latter having many more computers is highly suggestive that it is either Israel or an ally of Israel. This is a targeted virus, not one that just spreads everywhere, and it could not be a coincidence that all the targets just coincidentally happened to be countries that Israel feels especially wary about.  It seems far too sophisticated and far too much trouble to be an attempt to frame Israel, especially when such a “frame” would not do Israel any harm at all.

        Hardline Israeli network Arutz Sheva quotes the Israeli Minister of Strategic Affairs supporting the idea that Flame is likely an Israeli product:

        Asked about the attack on Army Radio on Monday, Minister of Strategic Affairs Moshe Ya’alon said, “Whoever sees the Iranian threat as a meaningful threat – it is reasonable he would take various measures, including this one.”

        “Israel has been blessed with being a state rich in top level high-tech. These tools that we take pride in open up various possibilities for us,” he added, without specifically saying Israel originated Flame.

        • http://tryingsense.blogspot.com/ R_Young

          Although I agree with most of your points (the main exception being Israel’s dominance of cyber-espionage over the US, that’s just boneheaded unless you’re counting *purely* military operations), I should play devils advocate and point out that Israel will often wink loudly at ops that aren’t theirs.  By neither denying or confirming they can get credit for the daring stuff done against their enemies while avoiding official censure from the UN court of Lefties (which is like all of Europe + most of the western world).  

      • http://tryingsense.blogspot.com/ R_Young

        Come onnnnn, if this were some banking scandal or virus in China or Asia or /anywhere/ else than sure this early guessing would be unjustified.  But the concentration on middle-eastern countries, especially Palestine, along with the evidence of stuxnet toolkit usage…

        Plus one can be dumb and guess (sans evidence) a random country with stake in the regional geopolitics without actually committing blood libel, contrary to what AIPAC would have you believe.  

        It is really too certain for any certainty, but why else are we on the internet if not to make unfounded speculation?

    • http://tryingsense.blogspot.com/ R_Young

      “In other news, a spokesman from 8200 has officially denied any involvement, while winking very rapidly in front of a bar of trashed Israeli programmers wearing party hats.”

  • http://www.fark.com/ Two Wolves

    Ok.  Is there a detection/eradication utility available?

  • LikesTurtles

    Someone should tell Kaspersky Labs that South Sudan is an independent country.

    • http://tryingsense.blogspot.com/ R_Young

      I wish you good luck with that Comrade!

      Russia has been a mite twitchy about recognizing breakaway countries as independent since, well, just after they lost half their empire in a similar fashion.

  • st33d

    “the most complex piece of malicious software discovered to date.”
    Probably because they had to make it work in IE6

    • dragonfrog

       And it’s still not actually usable in IE 6.

  • http://tryingsense.blogspot.com/ R_Young

    Jesus, I just made the terrible mistake of engaging with the Wired commenters.  If you value your sanity, learn from my error and stay the hell away from the political debates that spring up for no apparent reason.