I hadn’t commented on it before, but last month the Flame malware was discovered by researchers from Kaspersky. Here’s what we know so far:
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats. Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading.
That means the teams that built Stuxnet and Duqu might have had access to the same technology as the team that built Flame, Schouwenberg said. He said that a nation state would have the capability to build such a sophisticated tool, but declined to comment on which countries might do so.
The end result: Parts of Flame appeared innocuous because for all intents and purposes, they were signed by Microsoft itself.
Microsoft addressed the flaw by revoking three certificates, and issuing an update to all versions of Windows that added those certificates to the revocation list. The reason Flame wasn’t detected was because it spoofed legitimate files. Microsoft revoked the certificates and explained in a blog post that this occurred because the malware authors used a hash collision technique; I can’t explain it well (although I know what hash collisions are) but basically an older algorithm was exploited and the writers of Flame spent a good deal of time looking for this in order to use it.
Purging the virus is believed to be a bid to prevent victims from finding out their data was stolen. The massive and complex virus is in the hands of computer experts who are analyzing the code, trying to figure out how to protect computers from the malware.
“They’re trying to cover their tracks in any way they can,” said Vikram Thakur, principal security response manager at Symantec, a computer security company. “What’s very interesting is that they were willing to take the risk of connecting to the servers, which could be watched.”
“They threw caution to the wind,” Thakur said.
First Stuxnet is discovered, then Flame. But it looks like Flame was first. If so, then why did it take so long to get detected?
One thing is clear – whoever is behind these efforts will go to more effort next time to ensure that their next generation is not so easily discovered.