Flame (malicious program)

Flame is a malicious program that was discovered by the manufacturer of security software Kaspersky Lab in May 2012 , when it was already being used for attacks on computer networks .

Just like the two malicious programs Stuxnet and its successor Duqu , it is classified as a serious threat to information security on the Internet , especially since the functionality and complexity are assessed as being even greater. Computers infected with flame can be remotely controlled and spied on. For this purpose, microphones, keyboards and screens connected to the computer or integrated in the computer can be evaluated by the malware. After infection as a rootkit , Flame can spread to other systems via a local network or via a USB stick.

The software was found mainly on computers in the Middle East and has been active since March 2010 at the latest, according to heise.de since 2007 at the latest. All government organizations were informed of the discovery by the International Telecommunication Union (ITU) so that the CERTs can take countermeasures if necessary can to protect the infrastructures . Initially, nothing was known about the origin of the malicious program. It is noteworthy, however, that the malware infected relatively few computers and that the infections did not appear to have come through the public Internet. Conventional security software cannot usually detect or prevent such attacks, but private users are not threatened by Flame.

With around 20 megabytes, Flame requires  an unusually large amount of non-volatile data storage , combines various malware technologies (in particular backdoor , Trojan and worm functionalities) and represents an entire malware toolkit . Kaspersky has launched Flame under the name "Worm.Win32.Flame" classified as a worm ; Avira runs Flame under the name "TR / Flamer.A" as a Trojan . The software could infect Windows XP , Vista and Windows 7 operating systems via the Windows update function . To do this, she used a forged code signing certificate that was generated by an MD5 collision attack. With this, Flame intercepts a computer's Windows update request and forwards it to an infiltrated computer. The unsuspecting user then installs the malicious component himself. In the event of a discovery by a heuristic scanner or a behavior analysis, Flame is also equipped with a self-destruct function in which the infected computer is instructed to delete the program themselves using an uninstall routine.

Government organizations are named by the experts who discovered the Flame software as originators or authors. According to Washington Post sources , Flame was co-developed by the US and Israel. Kaspersky analysts suspect an exchange with the authors of Stuxnet due to the similarity of parts of the code . Furthermore, a large number of servers and staff are required to control the Flame installations in the wild and to receive and store the data tapped with them.

In July 2012, during the ongoing investigation of Flame, Gauss and Duqu by Kaspersky Labs, another variant of Flame was discovered, which was named miniFlame . It is believed that miniFlame is spread via Flame or Gauss. In contrast to Flame, only around fifty computers are infected, but very important computers in Iran, Lebanon and Kuwait.

Web links

• IT experts uncover complex malware ( Memento from May 30, 2012 in the Internet Archive ) Tagesschau, May 29, 2012
• Computer virus Flame - anatomy of a high-tech pest Spiegel Online, May 29, 2012
• The "Flame" war has started Telepolis, May 31, 2012
• "US, Israel behind Flame virus - officials" RT Online, June 20, 2012

Individual evidence

1. ↑ Kaspersky Lab and ITU Research Reveals New Advanced Cyber ​​Threat - Virus News, accessed May 29, 2012.
2. ↑ Developers of Stuxnet and Flame were in contact - PC World, accessed on June 13, 2012.
3. ↑ heise.de: Flame: Virus researchers go super spy online , accessed on May 29, 2012.
4. ↑ Jürgen Schmidt: FAQs on the Superspion Flame , www.heise.de, May 30, 2012, accessed online on June 5, 2012
5. ^ Why antivirus companies like mine failed to catch Flame and Stuxnet , arstechnica.com, accessed June 7, 2012
6. ↑ The computer virus "Flame" poses no threat to German private users , www.derwesten.de accessed online on June 7, 2012
7. ↑ ^{a b} securelist.com: The Flame: Questions and Answers (English) , accessed on May 29, 2012.
8. ↑ avira.com: Virus description TR / Flamer.A , accessed on May 29, 2012.
9. ↑ "Capable of infecting Windows XP, Vista and 7 operating systems" ( Memento of the original from May 30, 2012 on WebCite ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. Iran Computer Emergency Response Team, May 28, 2012  @1@ 2Template: Webachiv / IABot / www.certcc.ir
10. ↑ Windows Update compromised. heise.de, June 5, 2012, accessed on June 7, 2012 . 
11. ↑ Jonathan Ness (Microsoft): Flame malware collision attack explained . Retrieved June 7, 2012.
12. ↑ Ellen Nakashima, Greg Miller and Julie Tate: US, Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say
13. ↑ Kaspersky: Stuxnet and Flame are related. heise.de, June 11, 2012, accessed on June 12, 2012 . 
14. ↑ Golem.de: Flame starts self-destruction , accessed on June 8, 2012
15. ↑ miniFlame - the little brother of the spy trojan Flame - heise.de, accessed on October 19, 2012
16. ↑ New computer virus in circulation: "MiniFlame" spies on important computers in the Middle East - Focus , accessed on October 22, 2012