Flame Virus:on trail of mysterious spyware

Interview with Vitaliy Kamlyuk – chief malware expert with the Russian Global Research and Analysis Team at Kaspersky Lab.
How did you come to learn of the Flame virus, how was it?

The story of the Flame actually began in May when we got an enquiry from the International Telecommunication Union which is a part of the UN and we got an enquiry related to a search of a mysterious malware codenamed the Wiper which presumably attacked many computer systems in Iran. As we know from the news in April this year there were series of attacks against Iranian oil industry and those attacks were related to wiping of data from computer systems and even making them unusable or unbootable. And we started our search in hope to find this mysterious wiper program. We started looking for a suspicious file manes and malware activity in the region of the Middle East and we discovered some suspicious files which we didn’t have in our collection and we had a suspicion that it is related to Stuxnet because the file name reminded us about the already discovered files related to Stuxnet.

When we got a copy of that file we realized that this is quite a bigger application and we also got a lot of related modules and this was not very typical for a normal malware but it seemed to be a malware but a very complex one. And then we started our research and realized that this is something bigger and probably not even related to the target of initial search, to the Wiper malware because we couldn’t confirm it by a reverse engineering the application, we couldn’t find the place where it wipes other files or makes the systems unbootable. This is a story how we discovered it.

But Vitaly, like you say it’s been in place for quite some time, so why wasn’t it detected earlier? Is it undetectable?

No, it can be detected. There are actually no files that are undetectable, sooner or later we can find the solution. But talking about this specific case, about the Flame, the reason why it stayed undetected for at least two years, there are several reasons. One of them is that it actually was propagated within a very limited geographical region and very few targets were infected. Those people were picked very carefully, manually by the attackers. So, the propagation was limited. There were hundreds of systems infected which is nothing comparing to other malware that we receive daily.

In one of his recent interviews Mr. Kaspersky said that he was rather alarmed by the scale of what he described as cyber epidemics which poses a serious threat to humankind.

As I understand it he was talking about all these series of exceptional discoveries that we made during the past several weeks and all this is related to a very hot topic of cyber weapons and cyber warfare. So, I guess this is the problem that the humanity is going to face or is already facing with the discovery of such threats as Stuxnet, Duqu and now Flame.

These are the only proved and discovered examples of something that we call a cyber weapon. These are specifically crafted applications which must have been developed with the help of some nation state and they are used in the cyber attacks against other countries whether it is a cyber espionage attempts or physical destruction which is possible with the help of malicious software technologies.

So, Flame, Duqu and Stuxnet are currently the only examples or quite a rarity in what we call a cyber weapon. These are malicious software applications that are used in cyber espionage activities or in activities related to the destruction of real physical objects. For instance Stuxnet is known as a computer worm which actually left the cyber space and entered the real world by destroying physical objects which were part of industrial control systems. So, it managed to make a physical destruction in a real world.

How could that happen?

It was possible with the help of specially created code that interacted with industrial control systems and those are basically computer controlled equipment which can be reprogrammed and if it is programmed in a special way it can actually break if you set specific parameters that can break the system. For instance if you have an engine and if it spins with a high frequency without a stop, without interruption, them it will obviously get broken within a limited time. So, this is how it worked with the Stuxnet worm. And others like Duqu and Flame, those are used in a professional cyber espionage activities to collect different types of information like secret documents, maybe classified information and then transfer it back to the attacker.

Those viruses, are they created with certain preprogrammed qualities so that they are targeting only certain specific objects or programs?

Actually we have seen different. In Stuxnet they were quite focused on industrial control systems and the Stuxnet worm was actively looking for particular equipment on the network. At the same time Stuxnet is a computer worm spread all over so for it it didn’t make any difference which system to infect, it tried to propagate as broad as possible. And talking about Duqu and Flame, those are tools that are used for targeted attacks. So, the victims are carefully selected and they do not spread in the networks, they do not infect other computers unless they are commanded to do so.

So, in Flame we found functionality of network worm which must be activated by the operator. So, it can turn the Trojan, the Backdoor into a worm by a command. At the same time these applications have particular properties, features that actually make them unique and that’s why they don’t look like a traditional cyber criminals’ malicious applications because the traditional cyber criminals, they are trying to develop something that is bringing them money. So, they make applications that steal logins and passwords from you internet banking account, that send spam, that conduct DDoS attacks on the Internet or doing cyber extortion by blocking your system and you pay the money to get it back.

So, we couldn’t find any evidence of a potential profit behind Stuxnet, Duqu and Flame. Those were used just to collect intelligence without an obvious way to monetize it. So, our suspicion is that it must be nation state that might be developing it because of the complexity and because of the objectives, and the limited geographical propagation of these threats.

Is it expensive to develop such viruses?

It is expensive and it is much more expensive than cyber criminals’ malware. And we have seen much evidence of very expensive things. Talking about Stuxnet, there were at least four zero day vulnerabilities found in that worm. And a zero day vulnerability means that this is a software program breach that was discovered during analysis of Stuxnet, so it was not known before. And each such vulnerability actually may cost several dozens of thousands of dollars on the black market. So, this information about these vulnerabilities is extremely expensive and so is the development of the rest of the code of the Stuxnet and the Flame. There are a lot of codes and their architecture is very complex, and it must be like a big team of people working on development of this code. It looks very organized, it looks very well structured which actually reminds even a traditional software development company’s style of programming.

Does that imply that with the rate of development of new cyber weapons traditional weapons, are they growing obsolete?

Well, probably no because a physical will always be there in our world because we are living not in a cyber world but in a real world after all, and our presence in the cyber world is limited by the length of interaction with your computer or with your gadgets, whatever. But still a traditional weapon will always be there, I think it will stay but the power of a traditional weapon can be extended by the cyber weapon and this is something that is happening during the past years. I think militaries have realized it that Stuxnet can make a real destruction and can be delivered very fast, in a matter of seconds, it can be delivered, propagated in our computer networks and disconnect critical systems, it can bring them offline which will paralyze the potential opponent.

At the same time currently there are no regulations and laws which can limit the usage of such cyber weapons. And after all it is very deniable, so it is too possible to stay anonymous on the Internet and launch such attacks anonymously without leaving any traces which is very suitable and convenient for some particular nation states. You can do anonymous attacks on your opponent and make a real destruction without even letting the opponent know who is behind it.

Do you think that now this threat can be neutralized?

Basically the protection against the Flame malware has been available since we announced its finding. We added specific signatures into our antivirus databases and they were immediately available for our customers. So, Kaspersky users are protected of course and those who want to check their computers, they can do it for free if they download our trial version that works for thirty days, and they can check their systems and clean if they are infected. So, from the technical point of view it is not very complicated to remove this malware because it does not actively resist being removed. Actually the attackers focused on staying undiscovered and I think that they quite succeeded in that because the malware has been discovered for at least a couple of years or maybe more.