Flame, aka Flamer or sKyWIper

[Corrine]

Flame, aka Flamer or sKyWIper, has been dubbed more complex than Duqu and Stuxnet.  In fact, it has been described as "the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." 

As described in The Flame: Questions and Answers - Securelist:

What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven't seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame's functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

The following quote by Professor Alan Woodward Department of Computing, University of Surrey, was included in the BBC article, Flame: Massive cyber-attack discovered, researchers say:

This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.

It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't need to be connected to a network, although it has that capability as well.

This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time.

In other words, we are going to be seeing a lot more of Flame.

Additional References:

• Crysys Lab Skywiper Analysis (PDF)
  
• Iran Maher CERT Flamer Analysis
  
• Meet "Flame", The Massive Spy Malware Infiltrating Iranian Computers
  
• Powerful "Flame" cyber weapon found in Middle East
  
• Case Flame - F-Secure Weblog : News from the Lab
  

[Corrine]

I've updated my blog post with additional references beyond my initial post above:  Flame, aka Flamer or sKyWIper.

[zep516]

Thanks! need to check that out.

Joe