My next class:

Why Flame is Lame

Published: 2012-05-31. Last Updated: 2012-05-31 16:55:02 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We have gotten a number of submissions asking about "Flame", the malware that was spotted targeting systems in a number of arab countries. According to existing write-ups, the malware is about 20 MB in size, and consists of a number of binary modules that are held together by a duct tape script written in LUA. A good part of the size of the malware is associated with its LUA interpreter.

If you ever find something like that using perl instead of LUA... maybe I did it. I love to tie together various existing binaries using perl duct tape. However, I am not writing malware... and any serious commercial malware writing company would have probably fired me after seeing this approach. Using LUA would probably not fair much better. "Real" malware is typically plugged together from various modules, but compiled into one compact binary. Pulling up a random Spyeye description shows that it is only 70kBytes large, and retails for $500. Whatever government contractor put together "Flame" probably charged a lot more then that. Like with most IT needs: If you run some government malware supply department, think going COTS.

Of course, "Flame" is different because it appears to be "government sponsored". Get over it. Did you know governments hire spies? People who get paid big bucks (I hope) to do what can generally be described as "evil and illegal stuff". They actually do that for pretty much as long as governments exist, and McAfee may even have a signature for it.

We are getting a lot of requests for hints on how to detect that your are infected with Flame. Short answer: If you got enough free time on your hand to look for "Flame", you are doing something right. Take a vacation. More likely then not, your time is better spent looking for malware in general. In the end, it doesn't matter that much why someone is infecting you with the malware d'jour. The Important part is how they got in. They pretty much all use the same pool of vulnerabilities, and similar exfiltration techniques. Flame is actually pretty lame when it comes to exfiltrating data as it uses odd user-agent strings. Instead of looking for Flame: Setup a system to whitelist user-agents. That way, you may find some malware that actually matters, and if you happen to be infected with Flame, you will see that too. 

But you say: Hey! I can't whitelist user-agents! Sorry: you already lost. On a good note: scrap that backup system. All your important data is already safely backed up in various government vaults. (recovery is a pain though... )

Sorry for the rant. But had to get it out of the system. Oh... and in case you are still worried... the Iranian CERT got a Flame removal tool [2]. Just apply that. I am sure it is all safe and such.

[1] http://www.symantec.com/security_response/writeup.jsp?docid=2010-020216-0135-99
[2] http://certcc.ir/index.php?name=news&file=article&sid=1894

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: flame
6 comment(s)
My next class:

Comments

<i>All your important data is already safely backed up in various government vaults.</i>
...yeah, but the restores are a b!tch.
Lame or not, if it is effective it cannot be easily dismissed. And I note how lame the government's effort is to stop the people using fake security software to extort money from people.
Thank you Johannes for making me laugh and also bringing a sarcastic dose of reality to the often reactionary world of InfoSec. If I had written Flame it would be Pascal and COBOL...
Not so fast. For starters a Lua interpreter is only 182K, and that is not 'a good part' of 20MB. The idea of an embedded Lua interpreter in a piece of malware sounds powerful to me, as it could be very easily adapted, although not so good at staying hidden.
Thanks for the splash of cold water to wake people up :)
Btw Israel and Iran are not "arab" countries. Aside from the minor orientalism issue, the distinction may be important when looking for a common thread as to why they were set alight with the Flame.
sorry for the misuse of the term "arab". As American, I reserve the right to offend people of various cultures :). Would middle eastern work better?

Diary Archives