The analysis published on Flame has been amusing. Apparently Stuxnet is no longer considered sophisticated. Surprise.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different…Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated.
Many characteristics are shared? Interesting, except that later in the same page you will find this:
Flame has no major similarities with Stuxnet/Duqu.
Perhaps it is too early to ask for clarity. But I have to say my favorite example so far is this:
Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed.
Are we expected to believe that a 12% success rate for catching viruses is a shining success? Is there anyone who would like to argue that the antivirus industry is in need of examples of failure? Seems like everyone already has plenty to go around before hearing of Flame (Flamer, SkyWiper).
Don’t get me wrong, I am an advocate of using black-lists as one control to block threats. I also am an advocate for fences. They serve a purpose. The point is to know the difference between levels of defense, like the difference between a six-sided box and a four-sided box. If you’re running a four-sided box defense (e.g. you black-list wheeled threats) don’t be surprised when attackers jump over and under. Failure is a relative term and we should put anti-virus in its place. Definitely not a cure-all. On the other hand, I look forward to hearing how installation of 20MB of malware was not noticed.
The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module
Easier to hide small than large, which is why large was not discovered? Nevermind. I’ll wait for an update on that point too. In the meantime here’s one of the characteristics that makes Flame different. It is described as sophisticated because
recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio
Those two sentences seem to contradict. It’s rather new but other malware does it already? I have a different definition of rather new — audio attacks are as old as audio. I remember malware (Ivar, an extension for Mac System 7) in 1992 that had audio remote control. It used a fake system bomb to get the user to register the extension and then the Macintosh was tapped. I’ve run into examples since then as well, and I’m not just talking about the occaisonal webcam fiasco.
That same article makes the point that 3000 lines of code would take about a month. Of course it takes far less than a month to write 3000 lines if you’re collaborating/borrowing code. I point that out because Flame sounds an awful lot like child monitoring applications on the market. Mixed capability monitoring is par for the course when you are a parent or a civil/corporate investigator. In fact, in 2005 I used a similar tool for a case…
Maybe I am wrong and Flame really is a giant black eye for anti-virus vendors, and maybe I’m wrong and it was developed from scratch in an isolated lab at a very high cost. Even so, for me the most interesting part of this story is not the old debate over whether the code is sophisticated or not.
The part I noticed right away is that Jordan, Yemen, and Eritrea are supposedly unaffected or at least far below the top affected countries. That says a lot about intent if you believe intent is a factor. I keep that in mind when I look at the usual analysis that malware in Iran is spread on a Western-dictated attack path.
The malware is most likely created by a Western intelligence agency or military.
Ok, then why isn’t it in the places that Western intelligence agencies monitor? Does Yemen, a so-called “breeding-ground for terror”, or Eritrea have an anti-virus program we should know about?