Decoding the ‘Flame’ virus

Posted at 11:24 AM, Jun 05, 2012
(CNN) — Last week, groups of congressional staffers gathered in conference rooms in the nation’s capital. They were coming to hear from a representative from Symantec about the current threat landscape in cyberspace.

It’s an annual event for the security software giant, one in which staffers are briefed on current and emerging threats. They, in turn, brief lawmakers who are looking for ways to “catch up” in the war in cyberspace.

As you might expect in a briefing on cybersecurity, lots of numbers were thrown out: an 81% increase in the number of malware attacks, 5.5 billion attacks blocked worldwide and some 403 million unique pieces of malware (many of them have variations of the same attack that are auto-generated) aimed at computer users around the world.

A lot of these threats are familiar to Symantec, and a big reason why they have become a powerhouse in the security industry. Protecting against old viruses and detecting new are how they make their money. Business is apparently good, with some 200,000 new pieces of malware being sent to them every week for further diagnosis.

That’s one of the reasons the company staffs its security desk 24/7. It was that lucky weekend staffer who got first wind of a new threat this past Memorial Day. It was a new piece of malware sent to the company by a Hungarian researcher, a trusted partner, so it got moved a little closer to the top of the heap for scrutiny and what the researcher saw shocked him a little.

“The first thing was its size,” said Kevin Haley, Symantec’s director of security response, who was alerted over the holiday weekend that this virus was different – way different – than anything the company had seen. “Stuxnet was really unique because of its size, and this is about 20 times bigger than Stuxnet.”

This newly detected virus, dubbed “Flame,” had incredible abilities to monitor in-boxes, take screen grabs, even record audio of conversations happening near the computer. Haley said it had all the hallmarks of a nation-state effort and Symantec researchers immediately dived into the code, looking for clues.

“When you start looking at it, it was clear that it was very complex. It was doing a lot to make it look like a normal program,” said Haley. “There were encrypted pieces, and they had a lot of functionality, so we really started to do some serious investigating.”

What they found was a series of modules. The entire virus had been pieced together like a LEGO creation, one part building on another. Things could actually be added onto the spyware after it was already on an infected computer, giving the developer enormous freedom to tinker at will.

One specific example is with a Bluetooth module, which allowed the spyware to be spread to other devices. That’s just one of some 60 modules that were identified in the first week.

The hunt for further clues is expected to take months and researchers may still never know who is behind the virus. Symantec said while authors of viruses like these rarely leave a “signature” in the code, they do sometimes inject something that looks odd. In this case, researchers found multiple references to a string dubbed “Jimmy.”

“We don’t know what it means,” Haley said. “Though it’s not unusual for malware authors to leave little messages like that.”

Other security companies have been combing through “Flame” as well, looking for clues and details about it’s origins and abilities.

Microsoft announced over the weekend that it had identified a part of the code that had been signed in a way to make it look as if it had originated with the software giant.

The company also said it has issued a fix for the virus, saying in a security advisory that “the vast majority of customers are not at risk.” The statement also said the company has taken steps to make sure the signature issue doesn’t happen again.

Symantec said it also has a fix for the virus. Iran, which was a major target of the attack, said it has a fix, too. But the question of who launched “Flame” in the first place is a little tougher to pin down, according to Haley, who said efforts to find additional modules will continue in the coming months.

“It’s an ongoing story for us.”

But back to that briefing on the Hill last week. It turns out that while “Flame” is grabbing the headlines, that doesn’t mean it’s the most dangerous for home computer users. Some of the old favorites in attacks aimed at consumers’ computers are still the most effective. According to Haley, it’s those pop-up ads that tell you that your computer has already been infected.

“The two most popular ways are to send you an e-mail with an attachment, and a Web-based or drive by download that gets you to a malware website” Haley said. The attackers then try to get you to buy their “security” product, and wham! They’ve got you.

Another favorite way to get you is through social media websites. Attackers are so savvy that they now troll your “friends” list and generate an e-mail that looks like it’s coming from you, so what friend wouldn’t click on it, right? Wham. You’re infected.

It doesn’t exactly scream reassurance, but does give lawmakers a better grasp on just how wide-ranging the cyberlandscape is these days.