Friday, June 1, 2012

Some Articles on the "Flame" Cyberweapon

Here is a brief roundup of some of the news over the past few days:

First, from Fox News:
“Flame is a cyberespionage operation,” he told

Its prime goal: capturing data from a machine. To accomplish that task, this unusually large and complex espionage tool is made up of several modules designed to accomplish specific tasks, explained Liam O Murchu, operations manager with Symantec Security Response.

“It can record your keystrokes, it can record from the microphone on your computer, it can take screen shots, and it sends this info to a remote computer for someone to siphon off,” he told

Flame can grow and change, too: What makes this cyberweapon so powerful is the ability to be reconfigured with new modules that turn an infected PC or industrial control system into whatever tool a spy dreams up.

One module makes it a secret tape recorder, using the computer’s microphone to record nearby conversations. One makes it a radio, using a wireless Bluetooth connection to receive fresh commands and suck the address books out of nearby cell phones. One may turn it into a shredder, chewing through hard drives -- as the Wiper virus did to Iran’s computers.

“When a machine gets hit with Wiper, there’s nothing you can do, no forensics,” Schouwenberg said. “It’s a very interesting coincidence that we stumble on this now.”

Indeed, certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry, Symantec’s experts noted.

There are potentially hundreds of these modules, more yet to be uncovered, making Flame as versatile as a Swiss Army Knife.

And while there are no similarities in terms of code between Stuxnet, its successor Duqu, and the Flame, experts say the authors of Flame and Stuxnet had access to common resources.

“Our current working theory is that flame and Stuxnet were parallel projects,” Schouwenberg told “Whoever commissioned Stuxnet also commissioned Flame.”

That cyberattack was very specific, however, while the Flame attack is broad, having been detected in more than half a dozen countries already: Hungary, Iran, and Lebanon, Austria, Russia, Hong Kong, and the United Arab Emirates, as well the Palestinian West Bank.

It also appears to target individuals rather than the company they are employed by, Symantec said. Many of the compromised computers appear to be personal systems being used from home Internet connections, according to the security agency.

“If they get on to a home computer they could pretty much ‘Hoover up’ anything that’s on it. It’s strange to see that,” O Murchu said.
Here is another article also about the initial news release about the program.

But, yesterday, I came across this article questioning whether Flame was really a cyberwarfare weapon. It states:
With all the talk about Flame being the most powerful, ingenious and stealthy computer virus ever written, some properties of the mysterious malicious software are causing confusion.

For one thing, the program takes up 20 megabytes of space on infected machines. That's not stealthy; large files usually indicate sloppy programming. Also, unlike Stuxnet, Flame didn't come with precision targeting, and hasn't yet been credited with doing anything as impressive as hacking nuclear power plant computers. But perhaps most mysterious of all: Part of Flame’s code was written in the Lua programming language, a simple language used almost exclusively by video game programmers. Why would a nation-state trying to commit secret espionage toy with video game software?

* * *

[The link between Flame and Stuxnet is questioned] partly because the two programs were written in very different ways. Flame’s authors used Lua, something that confuses observers.

"Lua in a spy tool is just ... weird," said one Israeli programmer who uses Lua and requested anonymity. "The little snippet I've seen of the code seems so ... ordinary ... really like the work of your average programmer. Stuxnet sounded genius.”

Said another: "Lua is considered a kids language.... All I see around that is built with Lua are games. I mean, the syntax is very simple."

Not exactly the stuff of high-tech international espionage. Or is it?

Lua has been around since the 1980s, developed at the Pontifical Catholic University of Rio de Janeiro in Brazil. It was created out of necessity; at the time, trade barriers made importing software development tools too expensive. Development of Lua as a programming language remains centered in Brazil, where a small group of programmers make infrequent updates to the language. But it's become a favorite platform for a few thousand devotees around the world, who are attracted to its simplicity, its ability to play well with other software and its tiny footprint, which makes it ideal for use on embedded devices or games, where memory and space are at a premium.

Unlike other programming languages that grow in size out of necessity over time, Lua has actually shrunken in recent years, as developers have revised and refined its architecture.

Its name – Portuguese for “moon” – hints at Lua’s use as a subordinate language to attach satellite projects to larger pieces of software.

At the Lua-L discussion list, Flame talk was all the rage on Monday, as its users’ small corner of the technology world was suddenly thrust into the limelight. One even the virus "in some morbid endorsement for Lua."

"I'm a bit perplexed about the alleged high sophistication of that malware, when I see unobfuscated Lua with self-descriptive names," added a poster identified as Enrico Colombini

But longtime Lua programmer Erik Hougaard, based in Denmark, said such opinions show a fundamental misunderstanding of Lua's simple elegance as a programming tool.

"It's a well-kept secret, but it's everywhere. It's hard to pick up an Xbox game without it," said Hougaard, who now uses Lua to program robots but has also used it to create from-scratch accounting software and other financial tools at EFoqus Danmark A/S. "It's not sexy, but it's unique. It's so small you can fit it onto a single chip."

That's essential, because Lua includes both program and programming language in one tidy package -- meaning programs written in Lua will run reliably on machines as diverse as PCs and iPhones.
I would guess that if it is a cyber-espionage tool, it, or something very much like it, may be intended to run on cell-phones. Things that Iranian generals and scientists probably carry with them all of the time.

No comments:

Post a Comment