Sunday, June 03, 2012

New 'Flame' malware has much in common with 'Angry Birds'

Flame is the newest cyber-espionage salvo aimed at Iran, and although it has been characterized as perhaps the most sophisticated bit of malware to date, the code is about five years old, according to U.S. experts. Despite that, it has something in common with a smash hit mobile video game: Angry Birds.

Flame was accidentally discovered, reportedly by security firm Kaspersky Labs. It's a huge package, encompassing some 20MB of space and 250,000 lines of code. And, for at least high-order logic, Flame uses LUA, the same language used in Angry Birds.

It's a humorous bit of detail on a still scary piece of malware.

While Flame's higher order logic is written in LUA, which is really a scripting language, most of the code is compiled from C++, which makes more sense for something that has to get as deep into a system as malware needs to.

In fact, while the overall code is estimated to be 250,000 lines, the LUA is rather small in comparison, at somewhere over 3000 lines of code.

Since Flame - at least for malware - is so large, it's difficult for security software to analyze. While many viruses are caught by antivirus software using a signature based database system, others are found through heuristics, which have to analyze suspected viruses.

According to Kaspersky Labs, Flame is large is because it continues several different libraries, including compression / decompression(zlib, libbz2, ppmd) and database manipulation (sqlite3), along with a LUA virtual machine.

Flame has some innovative, for malware anyway, features. It can record audio via a microphone, if present. It can control webcams and Bluetooth devices as well. However, much of what it cannot and cannot do, as well as its method for being introduced into a computer network, are still unknown.

Also unknown, though definitely suspected in light of the revelations about Stuxnet, is the group, organization, or nation-state involved in its creation.

And while Flame has been seen in Israel as well as Iran and Syria, that could, experts theorize, be a red herring. It could also be something else: another piece of malware, like Stuxnet, created to infiltrate the systems of "aggressor nations," that went rogue because of a bug in their code, and began infecting other sites, as well.

468x60 Full Banner Coupons

No comments: