Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on.
What exactly is Flame? What does it do?
Flame is an attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers. Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
How sophisticated is Flame and how is it different from other malwares?
Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine.
LUA is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in LUA (the use of LUA is uncommon in malwares) — with effective attack subroutines and libraries compiled from C++.The effective LUA code part is rather small compared to the overall code.
Kaspersky’s estimation of development ‘cost’ in LUA is over 3000 lines of code, which for an average developer should take about a month to create and debug. There are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.
Another surprising element is the Flame package’s large size. The practice of concealment through large amounts of code is one of the specific new features in Flame.
What are the ways it infects computers?
Flame can infect computers through USB sticks, Autorun Infector, local networks, printer vulnerabilities etc.
Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. Kaspersky Labs haven’t seen use of any zero-days till now; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high-risk zero-day.
How does Flame steal information?
Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library. Recorded data is sent to the command and control server (C&C) through a covert SSL channel, on a regular schedule.
The malware has the ability to regularly take screenshots; and interestingly will take screenshots when certain “sensitive” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server — just like the audio recordings.
Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.
What type of data and information are the attackers looking for and who gets affected?
Kaspersky, from it’s initial analysis, derives that motive of Flame is to look for any kind of intelligence — e-mails, documents, messages, discussions inside sensitive locations etc.
Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide. The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.
Does Flame have any similarities with Duqu or Stuxnet? Is the same group the created them behind Flame?
Flame has no major similarities with Stuxnet/Duqu. Flame appears to be a project that ran in parallel with Stuxnet/Duqu, and it doesn’t use the Tilded platform unlike Duqu. However the presence of some links can indicate that the creators of Flame had access to technology used in the Stuxnet project — such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet.
It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.
According to Kaspersky’s research, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields — they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections.
Can Flame self-replicate like Stuxnet?
The replication part appears to be operator commanded, like Duqu, and also controlled with the bot configuration file. Most infection routines have counters of executed attacks and are limited to a specific number of allowed attacks.
The FAQ has been compiled with the help of inputs from Aleks Gostev, Chief Security Expert, Global Research and Expert Analysts Team (GrEAT), Kaspersky Lab.