Stuxnet, Duqu, & Now Flame

Unless you’ve been off the interwebs this weekend, the big news is Kaspersky’s recent discovery of potentially the next Stuxnet and Duqu. Named Flame … it’s being called an “industrial vacuum cleaner” based on its data collection activities. Kaspersky discovered Flame as part of its Skywiper analysis associated with compromised computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company. Although Flame’s goals are quite different from Stuxnet and more inline with Duqu, it’s made a massive impact across the Middle East and Eastern Europe.

(Updated 5/29 @ 2:45)

Here are some of the notes I’ve collected so far.

  • Kaspersky was looking into another piece of malware called Skywiper when the ran into Flame. It is currently unknown if these two pieces of software are related. News outlets and security firms seem to be reporting differently so there’s lots of confusion over this fact. For example, McAfee is using the SkyWiper nomenclature while Symantec is referencing to it as Flamer.
  • The name Flame was based on the term of one of the main modules. Some AV vendors have come up with other ingenious names for this new piece malware (e.g., Flamer … really, did they even have to go there).
  • The attack origin is unknown however since this isn’t the normal hactivist or “cyber crims” (tx @isdpodcast) type of activity, many researchers are pointing to someone at a nation-state level. Based on the targets of course Westerners are getting blamed … with possible authors identified as either an intelligence agency or military. As noted by @damami “Attribution is also a fundamental challenge.”
  • Flame seems to have been around for about 2 years. It’s currently in it’s active phase of vacuuming up data. Now if Flame is the same as SkyWiper, then it “may have been active for as long as five to eight years” according to CrySys’s report.
  • No AV products were able to initially detect Flame. Yeah, I expected this for the “signature” aspect of AV but I wonder what happened to heuristic scanning/behavior detection methods. With the amount of data this beast was exfiltrating, you think that would have tripped something. Hey, maybe AV is dead. 😉
  • Kaspersky discovered more than 600 targets, ranging from individuals to governments. Most were concentrated in the Middle East and Eastern Europe, including Iran, West Bank, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. The “network” also includes at least ten C&C servers distributed around the world that collected the vacuumed data.
  • With all modules loaded Flame weighs in at about 20M. This is about 20x larger than Stuxnet. Based on file size researchers have estimated a full analysis could take up to 10 years.
  • Flame appears to be collecting huge volumes of data from compromised systems. So far this information has included network traffic, screenshots, audio, and key logging.
  • Removal tools seem to be popping up although I think the vast majority of us aren’t affected. So far I’ve come across BitDefender’s.

This news is still a developing story so here are a few more great resources to read up on.

General News Sites with Overviews

Research Sites with More Technical Detail

I’ll be continuing to update this post as I come across any new info. Very interesting overall…


Today’s post pic is from See ya!

12 comments for “Stuxnet, Duqu, & Now Flame

  1. May 28, 2012 at 5:11 pm

    Stuxnet, Duqu, & Now Flame…

  2. May 28, 2012 at 6:24 pm

    #Stuxnet, Duqu, & Now Flame: [] Unless you’ve been off the interwebs this weekend, the big…

  3. May 28, 2012 at 11:56 pm

    Stuxnet, Duqu, & Now Flame,

  4. May 29, 2012 at 1:43 am

    Stuxnet, Duqu, & Now Flame via @zite

  5. May 29, 2012 at 5:02 am

    Stuxnet, Duqu, & Now Flame

  6. May 29, 2012 at 9:17 am

    Stuxnet, Duqu, & Now Flame

  7. May 29, 2012 at 9:30 am

    Stuxnet, Duqu, & Now Flame | #cybersecurity

  8. May 29, 2012 at 2:46 pm

    Updated “Stuxnet, Duqu, & Now Flame” post w/ more info. Tx to @isdpodcast for new terminology.

  9. May 29, 2012 at 5:12 pm

    Updated “Stuxnet, Duqu, & Now Flame” post w/ more info.

  10. May 31, 2012 at 1:31 pm

    Blogged: Stuxnet, Duqu, & Now Flame

  11. June 1, 2012 at 1:30 am

    Stuxnet, Duqu, & Now Flame

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.