Flame/Flamer virus (aka sKyWIper): Huge, complex, old news

The Flame or Flamer virus, recently discovered infecting middle-eastern PCs, is huge and complex. However, some are now saying the malware -- also known as sKyWIper -- is old news. In IT Blogwatch, bloggers wonder if it's all just security-FUD.  

By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: MS Outlook considered harmful...

Gregg Keizer reports:

Flame, as the espionage tool has been named, is a massive piece of malware...that infiltrates networks, scouts out the digital landscape...[and] pilfer[s] information.


[R]esearchers are trying to determine...how it fits with other malware that experts believe targeted Iran. ... In particular...Stuxnet, which...was created to sabotage Iran's uranium-enrichment facilities, and Duqu, an intelligence-gathering tool.


Chronology is important. ... Stuxnet...used exploits of multiple "zero-day" bugs...and Flame leveraged some of the same bugs. ... If Flame's origin can be traced to before Stuxnet's discovery [this] would link the two pieces of malware.   

Darlene Storm rains on our parade:

CrySyS Lab calls the...malware "sKyWIper," while Kaspersky calls it "Flame" and...MAHER calls it "Flamer." ... [All] signs point toward it being...created by an unknown government agency.


The malware authors went to great lengths to evade detection. ... If it's been floating around for a couple years at least...it would seem possible there are even more advanced...[and] sophisticated cyber weapons lurking, working and awaiting discovery.   

Kaspersky's Alexander Gostev unpicks the installation sequence:

[The] volume of its code and functionality are so great that it will take several months for a complete analysis. ... The main module of Flame is a DLL file called mssecmgr.ocx. ... After installation, [it] connects to one of the C&C servers and tries to download and install [more] components.


The first activation...is initiated by...either Windows WMI tools...if the MS10-061 exploit is used, or using a BAT file. ... [It then] registers itself as a custom authentication package in the Windows registry...[and] extracts any additional modules that are present in its...resource section (resource “146”) and installs them.   

But McAfee's Peter Szor and Guilherme Venere deny that Kaspersky first discovered it:

CrySys Lab, a Hungarian security team, noticed that a complex threat it had been analyzing for weeks was clearly the same threat. ... [It is] extraordinary complex.


Evidently, the threat has been developed over many years, possibly by a large group or dedicated team. ... [It] shows great similarity to Stuxnet and Duqu...yet its code base and implementation are...much more complex and robust.   

Meanwhile, Graham Cluley is bored with all this "biggest malware" talk:

The media has gone crazy...[saying] it's "much bigger than Stuxnet". ... Yes, Flame is bigger than Stuxnet. If you're counting bytes.


But my guess is that number of bytes wasn't what you were thinking of when you read the headline. ... [S]ize doesn't matter. What matters...is whether [you] are likely to become infected.


Flame isn't doing anything different from the vast majority of other malware we see on a typical day. ... [It] doesn't really represent much of a threat anymore. Every anti-virus...now detects it. ... So let's keep things in perspective.   


And Finally...

Outlook autocorrect considered harmful    

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch, for which he has won ASBPE and Neal awards. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can read Richi's full profile and disclosure of his industry affiliations.


Copyright © 2012 IDG Communications, Inc.

Shop Tech Products at Amazon