Hirose: Connecting the future
Industrial Ethernet Book Issue 71 / 53
  Print this Page   Send to a Friend  

The new Flame virus is said to be much larger than Stuxnet

ISSSource's Gregory Hale says that the recently discovered Flame computer virus is 20 times larger than Stuxnet. Flame, which has data-snatching capabilities and which is hitting machines in Iran and elsewhere in the Middle East, was discovered by researchers from Kaspersky Lab.

FLAME IS UNUSUAL in that it is huge - typically 400 times larger than the average worm. The reason for Flame's large size (20Mbytes) is that it is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks.

This virus' modular architecture allows very large changes in functionality and behaviour to be made at any time. In addition, it allows its operators to use a sophisticated scripting language called Lua to manage its activities. It also features advanced code injection techniques.

Flame, which is a Trojan having worm-like features, allowing it to replicate in a local network and on removable media, is reported to be a sophisticated attack toolkit, and much more complex than Duqu. There are, though, links which suggest that its designers had access to technology used to devise Stuxnet, such as the autorun.inf infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet.

Once it has infected a system, Flame initiates complex operations, including spying on network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and more. The data gained is available to operators through the link to Flame's command-and-control servers.

There are reported to be a further 20 modules that expand Flame's functionality, but their purpose is still being investigated.

Flame avoided detection for a time because of its extreme complexity, and because it has been targeting only selected computers. The virus primary purpose, Kaspersky said, appears to be cyber espionage, by stealing information from infected machines and sending it to servers across the world.

Interfere with security?

Can Flame interfere with SCADA and ICS security? As yet, there is little evidence that it is doing so because as currently configured, it is an information stealer. There has been no evidence so far that it currently has SCADA or ICS related modules installed.

So, for control engineers, the good news is that like Stuxnet, Flame seems to be highly targeted, and like Duqu, it steals information rather than destroying equipment. However, this new, sophisticated, government sponsored worm does seem to be targeted at industry, and the energy industry in particular, which is a major concern.

Flame was devised, Kaspersky Labs believes, no earlier than in 2010, but it is still undergoing active development. Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created or changed in 2011 and 2012. Its origin is as yet unknown, though it is suspected to come from either the USA (with help from Israel), or from Israel (or possibly Brazil), though a number of systems in the Middle East have been hit by this virus.

Destruction of communications


If there is war between Israel and Iran, Israel will, it is thought, with US assistance, deploy an array of high tech armaments to ruin the country's air defence systems by making them effectively deaf, dumb and blind. Then, a new version of the Stuxnet virus (possibly Flame, or as a result of Flame) will be used to destroy Iran's command centres.

Israel is said to be aiming the destruction of all of Tehran's communication and network surveillance, including electrical plants, radar sites and command centres, plus Iran's Internet, mobile phone network and emergency frequencies.

Kaspersky Labs has said that the complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date, including Stuxnet itself.

The organisation says that, unlike with conventional warfare, the more developed countries are actually the most vulnerable¡¯.

At the time of going to press, Flame is reported to have collected information in Israel and the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. Iran, however, has been hardest hit.


Source: Industrial Ethernet Book Issue 71 / 53
   Print this Page    Send to a Friend  

Back

Sponsors:
Discover Cisco IoT
DINSpace fiber optic and Cat 6 patch panels
Siemens iWLAN

Get Social with us:


© 2010-2018 Published by IEB Media GbR · Last Update: 17.08.2018 · 12 User online · Privacy Policy · Contact Us