Skip Links

Flame Malware: All You Need to Know

By Debarati Roy, CIO India
May 30, 2012 03:55 PM ET

CIO India - What exactly is Flame? What does it do?

Iran's discovery of Flame malware turning into political hot potato

Extinguishing Flame malware

Flame is an attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers. Later, the operators can choose to upload further modules, which expand Flame's functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

How sophisticated is Flame and how is it different from other malwares?

Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine.

LUA is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in LUA (the use of LUA is uncommon in malwares) -- with effective attack subroutines and libraries compiled from C++.The effective LUA code part is rather small compared to the overall code.

Kaspersky's estimation of development 'cost' in LUA is over 3000 lines of code, which for an average developer should take about a month to create and debug. There are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.

Another surprising element is the Flame package's large size. The practice of concealment through large amounts of code is one of the specific new features in Flame.

What are the ways it infects computers?

Flame can infect computers through USB sticks, Autorun Infector, local networks, printer vulnerabilities etc.

Flame appears to have two modules designed for infecting USB sticks, called "Autorun Infector" and "Euphoria". Kaspersky Labs haven't seen use of any zero-days till now; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high-risk zero-day.

How does Flame steal information?

Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library. Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule.

The malware has the ability to regularly take screenshots; and interestingly will take screenshots when certain "sensitive" applications are run, for instance, IM's. Screenshots are stored in compressed format and are regularly sent to the C&C server -- just like the audio recordings.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News