Flame Portable EDR : SUMURI Digital Forensics

While most Americans enjoyed a long holiday weekend, researchers in the security community were working around the clock to unravel the mysteries of one of the most intimidating pieces of malware code ever found.

Known by the names Flame, Flamer, and sKyWIper, the malware is significantly more complex then either Stuxnet or Duqu — and it appears to be targeting the same part of the world, namely the Middle East.

Preliminary reports from various security researchers indicate that Flame likely is a cyberwarfare weapon designed by a nation-state to conduct highly targeted espionage. Using a modular architecture, the malware is capable of performing a wide variety of malicious functions — including spying on users’ keystrokes, documents, and spoken conversations.

Vikram Thakur, principal research manager at Symantec Security Response, told eSecurity Planet that his firm was tipped off to the existence of Flame by Hungarian research group CrySys (Laboratory of Cryptography and System Security). As it turned out, Symantec already had the Flame malware (known to Symantec as W32.Flamer) in their database as it had been detected using a generic anti-virus signature. “Our telemetry tracked it back at least two years,” Thakur said. “We’re still digging in to see if similar files existed even prior to 2010.”

Dave Marcus, Director of Security Research for McAfee Labs, told eSecurity Planet that Flame shows the characteristics of a targeted attack.

“With targeted attacks like Flamer, they are by nature not prevalent and not spreading out in the field,” Marcus said. “It’s not spreading like spam, it’s very targeted, so we’ve only seen a handful of detections globally.”

While the bulk of all infections are in the Middle East, Marcus noted that he has seen command-and-control activity in other areas of the world. Generally speaking, malware command and control servers are rarely located in the same geographical region where the malware outbreaks are occuring, Marcus noted.