skip to Main Content

A new and massive cyber-attack has been discovered…the code name…Flame!

CIOs and their chief security officers will be forced to reassess their online strategies in light of the discovery of Flame, a new piece of malware larger and more sophisticated than the Stuxnet virus that disabled Iranian nuclear facilities, and described by one expert as “an industrial vacuum cleaner for sensitive information.” They are also likely to be called upon by their boards to explain what the virus means to their companies.

33 15 15 fire flame
Flame, a complex targeted cyber-attack that collected private data from countries such as Israel and Iran has been uncovered, researchers have said.

Russian security firm Kaspersky Labs told the BBC they believed the malware, known as Flame, had been operating since August 2010.The company said it believed the attack was state-sponsored, but could not be sure of its exact origins. They described Flame as “one of the most complex threats ever discovered”.

Research into the attack was carried out in conjunction with the UN’s International Telecommunication Union. They had been investigating another malware threat, known as Wiper, which was reportedly deleting data on machines in western Asia. In the past, targeted malware – such as Stuxnet – has targeted nuclear infrastructure in Iran. Others like Duqu have sought to infiltrate networks in order to steal data. This new threat appears not to cause physical damage, but to collect huge amounts of sensitive information.

60531995 605319941
What does it do? Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting the keyboard. More than 600 specific targets were hit ranging from individuals, businesses, academic institutions and government systems.

Iran’s National Computer Emergency Response Team posted a security alert stating that it believed Flame was responsible for “recent incidents of mass data loss” in the country. The malware code itself is 20MB in size – making it some 20 times larger than the Stuxnet virus. The researchers said it could take several years to analyze. The size and sophistication of Flame suggested it was not the work of independent cybercriminals, and more likely to be government-backed.

This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine. It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal. The malware is capable of recording audio via a microphone, before compressing it and sending it back to the attacker. It is also able to take screenshots of on-screen activity, automatically detecting when “interesting” programs – such as email or instant messaging – were open. Among the countries affected by the attack are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

220px dancingflames
Kaspersky’s first recorded instance of Flame is in August 2010, although it said it is highly likely to have been operating earlier. Once the initial Flame malware has infected a machine, additional modules can be added to perform specific tasks – almost in the same manner as adding apps to a smartphone.

Well, so much for the holiday post glow…it is gonna be a busy Tuesday!


This Post Has 3 Comments
  1. Showed up on Slashdot over the weekend. (
    20MB of code when all plugins are loaded. Yes, plugins! It’s not a monolithic tool, but starts small with something like a “scout” that infects but does little except survey the environment and report back. Then at “headquarters” those controlling it can instruct it to do things, including downloading plugins that give it additional capabilities.

    It may take about ten YEARS to decipher what all that code is doing.

    In addition to keylogging (the simplest thing to implement) it will take screenshots of the monitor, compress them, and send them “home”. The screenshot interval varies according to the application being run.

    It has a few hard-coded C&C (command and control) addresses, but is always downloading new ones, so it’s really part of a mesh network which makes it very hard to kill.

    It has a “kill” module which uninstalls all traces of itself on disk and in memory, and then removes the kill module itself. That way, if they find they’ve infected a useless site, they can avoid leaving behind their code for forensic analysis. Also, if they learn what they want and don’t think they’ll get much more, they can erase their tracks.

    Oh. It runs on Windows. From all I’ve read it’s windows x86 (intel) code. Not quite as scary as something written in Java that is machine- and OS-independent.

    1. Al, thanks for your comment….what an amazing piece of work! I can only imagine what they have discovered…the “kill module” is so sci-fi….wow! Thanks! Be well, Regina

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top
×Close search