Flame Potentially Most Advanced Malware Yet

Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu, both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more.

The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.

Commenting on the same, Carl Leonard, Senior Manager, Websense Security Labs, said: “Flame is potentially the most advanced malware to date, at least in terms of functionality combined with ability to stay hidden over a long period of time. Contributing to its complexity is its sheer size. At a huge 20MB in size if all modules are taken into account, it is about 20-30 times larger than most malware we usually see and incorporates some interesting techniques not common to malware such as using the LUA scripting language for some of its functions. How effective it has been remains to be determined, as there still have only been a small number of infections discovered and it will take some significant research time to deconstruct all of its capabilities.”