After nearly a week’s worth of investigation, cyber security researchers still don’t know who is behind a large new piece of malicious code that was recently discovered to be operating on hundreds of computers in the Middle East and Europe, mostly in Iran.
But several leading security firms that on Monday first publicized the discovery of the malware, nicknamed Flame, do have an idea of the type of person that’s probably behind it: Professional software developers.
“It looks to us like these were legitimate programmers who were tasked with writing malware in this case” said Liam O Murchu, a researcher with American cyber security firm Symantec, in a telephone interview with TPM. Symantec first reported on the discovery of Flame, which it calls “Flamer,” on Monday.
Flame’s likely creators are contrasted with the typical authors of malware, who may often be professional criminals, students or hobbyist hackers, according to the analysis of another cybersecurity firm, Moscow-based Kaspersky Labs, which was also one of the first firms to announce the discovery of Flame on Monday.
“Conventional cybercriminal malware is created to bring some financial profit, whether it is stolen money from credit cards, virtual property from online games or ddos attacks and spam that also bring money,” said Vitaly Kamluk, chief malware expert with Kaspersky’s Russian global research and analysis team, in an email to TPM.
By contrast, Flame includes several different scripts, called “modules,” that together appear to be designed for another purpose entirely: cyber espionage.
“The difference is not technical, but philosophical,” wrote Boldizsár Bencsáth, a researcher with Hungarian cybersecurity firm CrySyS Lab, in an email to TPM. CrySyS is yet another major security outfit that reported Flame’s existence Monday. CrySyS referred to Flame as “SkyWIper.”
Flame’s modules govern the software’s capabilities on infected computers, including taking screenshots, logging keystrokes, intercepting Internet traffic and instant messages, even turning on a computer’s wireless microphone and recording audio conversations, all without a user’s knowledge.
But it’s how Flame was put together, moreso than its effects, that have researchers around the globe intrigued.
“What we’ve seen here is that it [Flame] was built using techniques that would normally be used in the creation of legitimate software, which we don’t normally see in malware,” O Muchu added.
Symantec and numerous other security firms have noted the fact that Flame was written using a combination of two main programming languages, Lua and C++. While the latter is typically used in malware, the use of Lua, more commonly found in videogame programming, has stoked interest further interest in Flame’s authors and creative process.
“Lua is more high level,” O Murchu told TPM. “It’s much easier to update than C++. The attackers wrote [Flame] that way so they could quickly add new modules and update it seamlessly.”
Flame’s unique underlying coding may have contributed to its success at spreading throughout hundreds of computers for years. Looking back over system data, the first appearance of the malware was in 2007, according to CrySyS (Kaspersky and Symantec place the first appearance in 2010).
But whenever it was first released into the wild, it remained undetected until recently, even as security software improved and operating systems were updated. O Murchu told TPM that this was due in part to the malware’s “modular” structure — the fact that specific modules could be quickly added to Flame by its operators, allowing it to perform new capabilities at will, depending on which computer systems it would up on.
Flame is a self-replicating malware that was likely first installed using an infected USB stick, but after that, the malware spread across networked computers on its own.
O Murchu also said that Flame malware included a built-in, local database to store information it captures, when other malware would simply use a text file, which would be smaller in size but less accommodating for various file types.
Flame’s database adds to malware’s overall file size, bringing it up to a total 20 MB in some cases compared to the relatively typically-sized Stuxnet malware’s 1.5 MB.
“Legitimate programmers may not necessarily be the best fit for writing malware,” O Murchu commented.
Whoever employed the programmers that developed Flame, major security firms broadly agree that it was commissioned by a nation state.
“The English language in the code is well formed, so we expect good english speakers there,” Bencsáth told TPM. “From the operational point of view it’s most likely the U.S. or Israel behind that.”
Indeed, Israel’s vice prime minister Moshe Ya’alon made statements on a military radio show on Monday that were widely interpreted by media outlets as an intimation Israel could have had something to do with the malware.
But a spokesperson for the Israeli government told the BBC on Thursday that Ya’alon’s comments had been misconstrued, stating: “There are quite a few governments in the West that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat - and can possibly be involved with this field.”
Iranian officials earlier confirmed that Flame had been found on computers managing Iran’s oil sector and had briefly attacked the systems, resulting in “massive” data loss in some cases, though all data was supposedly recovered. The Iranian national cyber security organization, Maher, on Monday said it had issued a antivirus program to those affected.
Symantec’s O Murchu and Kaspersky’s Kamluk declined to speculate which nation states could be behind Flame, saying they had more work to do on analyzing the code.
Despite the fact that Kaspersky has released detection and deletion methods to combat the software, and security firms are prepping antivirus software updates that will root out the virus, O Murchu said it could still resurface.
“It could be that the attackers will be rattled and will disappear it, or won’t use it again,” O Murchu said. “Or it’s possible that they could do what the Stuxnet authors did and tweak their software and try to remain undetected, or release a new version.”